Legislation that would mandate cyber-incident reporting to the federal government is circulating through Congress. The bills that are likely to pass do not cover higher education, but all of the proposals provide clues about what EDUCAUSE members may see in the future.
The struggle to determine the final amount and shape of a potential $3.5 trillion budget reconciliation package, which would largely be focused on social spending, has stalled action in Congress on a variety of other legislative priorities. However, given the deep concerns about how a lack of information-sharing by private entities with the federal government may be negatively affecting the nation's response to cyber threats, policymakers continue to work toward mandatory cyber-incident reporting legislation.
Senate Intelligence Committee Chairman Mark Warner (D-VA) was the first out of the gate in this arena. He introduced his Cyber Incident Notification Act back in July. From a higher education perspective, this bill poses a number of problems. One of the most notable of these problems is that a significant number of higher education institutions could face mandatory reporting requirements, as the bill includes "federal contractors" within its scope of covered entities along with organizations that fall under the Department of Homeland Security's "critical-infrastructure" categories. The legislation defines "federal contractor" in broad terms. It would give the intended enforcement agency, the Cybersecurity and Infrastructure Security Agency (CISA), a relatively free hand in developing the regulations that would delineate covered entities in practice.Footnote1 As a result, institutions that hold federal contracts would almost certainly be covered, while others could easily find themselves drawn into the scope of compliance depending on the types of agreements that CISA finds relevant.
The act would also give CISA broad latitude to set what needs to be reported and how without requiring the agency to fully engage with the affected sectors in the process. Under this legislation, the normal notice-and-comment process would be set aside; CISA would have to consult with relevant stakeholders, but it would get to determine who those stakeholders are, what input it would accept, and how that input would be used in the rulemaking process. The agency would also be empowered to impose an interim final rule with requirements that would take effect immediately once the regulation has been issued, reinforcing concerns about the extent to which stakeholder feedback would inform the reporting requirements and processes affected entities would have to follow.
One issue that the Cyber Incident Reporting Act would not leave to agency discretion is the reporting deadline. Covered entities would have to report to CISA within twenty-four hours of confirming a "cybersecurity intrusion or potential cybersecurity intrusion" (emphasis added).Footnote2 Depending on what constitutes "confirmation" as well as how a "potential" cyber incident is defined, a twenty-four-hour reporting deadline may or may not be reasonable. However, with such a tight deadline and the possibility that CISA could take a very expansive view of what constitutes a potential cybersecurity intrusion as well as an organization's confirmation of an intrusion, the bill could generate a great deal of overreporting, especially since the penalty for noncompliance would be up to 0.5 percent of the organization's prior year gross revenue for each day a violation continues.
Fortunately, CISA falls under the Department of Homeland Security (DHS), which means that the House Committee on Homeland Security (i.e., the House Homeland Security Committee) and the Senate Committee on Homeland Security and Governmental Affairs (i.e., the Senate Homeland Security Committee), not the Senate Intelligence Committee, have jurisdiction over cyber-incident reporting legislation affecting the agency. And the good news continues, given that the House and Senate Homeland Security Committees have more recently introduced roughly similar cyber-incident reporting bills of their own, both of which focus on critical-infrastructure entities. Since higher education does not fall under a critical-infrastructure category, the requirements of the bills likely would not apply to colleges and universities, making them preferable to the Senate Intelligence Committee (i.e., Warner) bill. I use the modifier "likely" since the text of both bills would give CISA some latitude in defining what types of organizations fall within the scope of "critical infrastructure." However, the specific references to such entities, combined with DHS's existing, well-defined critical-infrastructure categories, minimize the possibility that CISA would step outside of the established framework to designate sectors and organizations previously not considered critical infrastructure as such for the purposes of this legislation.
Because of the difficulty with moving bills through Congress, all of the relevant actors would like to see their reporting bills attached to the National Defense Authorization Act (NDAA), the annual "must-pass" bill that reauthorizes the defense budget. The House Homeland Security bill has already been adopted as an amendment to the House version of the NDAA (see Sec. 1535, "Cyber Incident Review Office"). The Senate continues to work toward passage of its NDAA legislation, and the Senate Homeland Security Committee has stated its intention to have its cyber-incident reporting bill, S. 2875—The Cyber Incident Reporting Act, adopted as an amendment to the Senate version of the NDAA. Given the similar action taken by the House and bipartisan interest in strengthening the federal response to cybersecurity challenges, the Senate Homeland Security Committee will probably be successful in adding its legislation to the NDAA as well, with the differences between the House and Senate versions being resolved during the conference committee to harmonize the larger House and Senate NDAA bills. Meanwhile, the Senate Intelligence Committee bill will remain tabled in the Senate Homeland Security Committee, although the Intelligence Committee could try to move pieces of its legislation later through its own or other channels.
Finally, on October 4, Senator Elizabeth Warren (D-MA) and Congresswoman Deborah Ross (D-NC) introduced a bill specifically focused on ransomware reporting. The Ransom Disclosure Act would require an affected entity to report a ransomware payment to DHS within forty-eight hours of having made one, along with pertinent details (e.g., when the ransom demand was made and met, the amount paid and in what form, and any available details about the attacker).Footnote3 DHS would also be required to implement a website to allow individuals to report ransomware attacks that have been made against them. Almost all colleges and universities would have to comply since any entity that is engaged in interstate commerce or that receives federal funds would be covered. However, the penalties for noncompliance are not yet clear since the legislation would give DHS the discretion to set those penalties. There is no indication that this bill will be considered beyond the committee stage since, once again, it falls under the Homeland Security Committee, and the committee leaders already have the above-mentioned reporting bills in progress. That said, the Senate Homeland Security bill also highlights the need for ransomware reporting within the overall scope of reporting it would require; this could emerge as a feature of the final cyber-incident reporting provision included in the final version of the fiscal year 2022 (FY22) NDAA.
With these various pieces of legislation in mind, it appears that higher education dodged a bullet in terms of the mandates proposed in the Senate Intel bill. Colleges and universities are therefore only interested observers regarding what happens with cyber-incident reporting via the FY22 NDAA. Higher education institutions may not be able to count on avoiding federal cyber-incident reporting requirements in the future, though. Policymakers on both sides of the aisle and across both chambers continue to express deep concerns about the adequacy of our national response to cyberattacks, making the current round of legislation seem more like the start of a wave than the end of one. As that wave builds, EDUCAUSE will work with its members, partners, and other groups to ensure that higher education perspectives are reflected in the outcome.
Notes
- Cyber Incident Notification Act of 2021, S.2407, 117th Congress (2021). Jump back to footnote 1 in the text.
- Ibid. Jump back to footnote 2 in the text.
- Ransom Disclosure Act, S.2926, 117th Congress (2021). Jump back to footnote 3 in the text.
Jarret Cummings is Senior Policy Advisor at EDUCAUSE.
© 2021 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.