In a separate response, FBI Director Christopher Wray said the bill “has some serious flaws” and “would make the public less safe from cyber threats” as currently written because it would slow down the FBI’s response to hacks and hamper the government’s ability to identify and disrupt other ongoing attacks.
War of words: Jay Bhargava, a spokesperson for Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who led the bill with ranking member Rob Portman (R-Ohio), said it was “completely false” for Monaco and Wray to suggest that passing the bill would make Americans less safe.
“The FBI and DOJ were consulted for months, changes were made to the bill to address their concerns,” Bhargava said, “and 100 senators came together and passed this bill unanimously to move forward with the most significant update to American cybersecurity defenses in our nation’s history.”
Portman spokesperson Kylie Nolan echoed that, saying the bill “reflects changes from DOJ and FBI as well as many others to obtain the broad support it currently enjoys across government and the private sector.”
“The bill will make the United States significantly more secure, and any suggestion to the contrary is grossly misleading and does the public a disservice,” Nolan said. “DOJ and FBI’s concerns are out of sync with the rest of the country including, it seems, the Biden administration that they work for.”
Mixed messages: Monaco and Wray’s statements — first reported here — represent an extraordinary rebuke by one wing of the Biden administration of a bill that has garnered praise from officials in other parts of the administration.
Both National Cyber Director Chris Inglis and Jen Easterly, the director of DHS’ Cybersecurity and Infrastructure Security Agency, have called the mandate a critical tool for increasing the government’s awareness of the cyber threats percolating across the country. The FBI currently estimates that only between 20 and 25 percent of breaches are reported to the government.
“The earlier that CISA … receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” Easterly told the Senate Homeland Security Committee in September. In January, she said she was disappointed that the bill was not already law when a flaw in widely used software called Log4j exposed hundreds of millions of devices to potential hacks.
Moot point: DOJ’s sharp condemnation also comes as the bill — an omnibus measure that includes both the incident reporting mandate and overhauls of two existing federal cybersecurity programs — appears to be on a glide path to President Joe Biden’s desk after unanimous Senate passage late Tuesday. House passage is all but assured, after the lower chamber incorporated a similar version of the legislation into the annual defense policy bill last September.
Against the grain: DOJ is the only prominent voice criticizing the incident reporting mandate. Business groups, once wary of any cyber regulations, have generally embraced the mandate as a necessary response to growing threats.
Not good enough: FBI officials objected to the earlier version of the bill for not requiring dual reporting to both CISA and the FBI. In response, senators added a provision requiring CISA to share incident reports with other agencies “as soon as possible but no later than 24 hours” after receiving them.
Monaco said that tweak wasn’t good enough for the department. “With the right changes,” she said, “this bill could be a game changer in keeping us safe.”
George is Digismak’s reported cum editor with 13 years of experience in Journalism