FBI left out of the loop in cyberattack reporting bill

Betsy Woodruff Swan and Eric Geller
·3 min read

The FBI could be sidelined in new cybersecurity legislation, a top Bureau official told lawmakers Tuesday. And, in the view of America’s most powerful law enforcement agency, that would be a big problem.

In testimony to Congress, Bryan Vorndran, the assistant director of the FBI’s Cyber Division, said that the Biden administration is “troubled” by legislation proposed by the Senate and House Homeland Security committees requiring a wide range of companies to report intrusions to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency but not simultaneously to the FBI.

“Current incident reporting legislation being considered fails to recognize the critical expertise and role that DOJ, including the FBI, play when it comes to cyber incident reporting,” Vorndran said in a statement for the record provided to the House Committee on Oversight and Reform.

“Cyber is the team sport, and the Department of Justice and the FBI are a key player,” Vorndran continued. “It is time for legislation to reflect this reality.”

The Biden administration’s stance throws a last-minute wrench into a yearslong effort to require key companies to disclose cyberattacks.

The House’s annual must-pass defense bill includes language requiring critical infrastructure operators and federal contractors to alert CISA if they are hacked. Similar language is likely to make it into the Senate’s version of the bill. The provision — the result of weeks of negotiations between the leaders of the Senate homeland security and intelligence panels — would represent the most sweeping cyber regulation ever imposed on the private sector.

One of the biggest problems facing government cyber defenders is their lack of insight into many of the digital attacks on private companies. Unlike in some other countries, the U.S. does not directly monitor or defend most critical private sector networks. That means government agencies rely on companies to voluntarily disclose hacks so they can assemble a complete picture of the threat environment and develop security recommendations accordingly.

In the wake of high-profile ransomware attacks on Colonial Pipeline, the meat processing giant JBS and the IT software vendor Kaseya, Biden administration officials have been adamant that Congress should mandate cyber incident reporting for the nation’s most important companies.

“The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” CISA Director Jen Easterly told the Senate Homeland Security Committee in September.

But while CISA leads what officials call the government’s “asset response” work by addressing specific vulnerabilities and helping victims upgrade their networks, the FBI oversees the “threat response” mission by identifying and deterring the hackers. For that reason, Justice Department and FBI officials want rapid access to any incident reports.

“We urge Congress to create a national standard for reporting significant cyber incidents and to require that the reported information be shared immediately with the Justice Department,” Attorney General Merrick Garland said during a Nov. 8 news conference announcing actions against ransomware gangs.

Lisa Monaco, the deputy attorney general, also called for mandatory reporting in an Oct. 6 CNBC op-ed.

The administration’s call for simultaneous reporting to CISA and the FBI could derail efforts to slip the incident reporting language into the defense policy bill unless lawmakers quickly embrace the idea.

Rep. Yvette Clarke (D-N.Y.), who chairs the House Homeland Security cyber subcommittee and was a lead sponsor of her chamber's reporting mandate, said she didn't favor changing the program.

"We took seriously the disparate, yet complementary, roles played by agencies across the federal government," she said. "But, ultimately, we believe that CISA ... should lead the federal government's cyber incident reporting program."

Spokespeople for the reporting legislation's other chief sponsors did not provide comments on the administration’s call for legislative changes.

It is also unclear whether the bureau’s position reflects any strain between the FBI and CISA, which have tried to form a close working relationship in the three years since CISA’s creation.

Also unclear: whether a mandatory reporting requirement to the FBI would trigger heated opposition from the private sector.