The director of the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Friday that the agency would be "immediately" sharing incident reports from critical infrastructure organizations with the FBI.
The FBI and Department of Justice caused a minor furor on Thursday when both came out harshly against The Strengthening American Cybersecurity Act, landmark cybersecurity legislation that sailed through the Senate unanimously on Tuesday. The act forces critical infrastructure organizations to report cyberattacks to CISA within 72 hours and ransomware payments within 24 hours.
In statements to Politico, FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco trashed the bipartisan bill because the FBI and DOJ are not included alongside CISA. Wray said it "would make the public less safe from cyber threats" and Monaco claimed the bill leaves the FBI "on the sidelines and makes us less safe at a time when we face unprecedented threats."
The statements shocked officials on both sides of the aisle in the Senate and House, according to statements provided to Politico. The White House came out in support of the bill on Thursday evening but told CBS that it was "exploring all options, to ensure that the legislation enables all relevant Federal agencies to receive and process these incident reports as quickly as possible to carry out their cybersecurity missions."
On Friday afternoon, CISA director Jen Easterly addressed the issue publicly, writing on Twitter that the agency would "immediately" share the incident reports with the FBI.
"The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a critical step forward in ensuring our nation's security. As the nation's cyber defense agency, it gives CISA another key tool to respond to & mitigate the impact of cyber attacks," Easterly said.
"We have a terrific operational partnership w/our #FBI teammates & will continue to do so, to include always ensuring that cyber incident reporting received by CISA is immediately shared with them."
Spokespeople for the lead senators behind the bill, Senate Homeland Security Committee Chair Gary Peters and ranking member Rob Portman, criticized the FBI and DOJ for attacking the bill, telling Politico that both were consulted on it for months.
The FBI had previously expressed their desire to be included in any incident reporting legislation during hearings that took place in September. Both Easterly and National Cyber Director Chris Inglis backed the inclusion of the FBI at the time and the Senate changed the bill to mandate that CISA share incident reports with the FBI and other agencies within 24 hours.
Despite the changes, Monaco told Politico on Thursday that "changes" still needed to be made to it.
The FBI and DOJ did not respond to requests for comment on Friday about whether they will now support the legislation in light of Easterly's comments.
The 200-page act, which combines pieces of the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act -- includes several measures designed to modernize the federal government's cybersecurity posture, and both Peters and Portman said the legislation was "urgently needed" in light of US support for Ukraine, which was invaded by Russia last week.
Rep. Jim Langevin, the co-chair of the Cybersecurity Caucus, said getting incident reporting, FISMA and FedRamp across the finish line and onto the President's desk "should be top priorities for this Congress."
"My colleagues in the House and I have worked hard to develop strong language to accomplish these goals, not all of which is included in this bill, such as the need to codify the dual-hat role of the federal CISO," Langevin told ZDNet. "I look forward to building upon this week's progress to pass strong cyber legislation out of both chambers, so that we can meet our nation's urgent cybersecurity needs."