[Congressional Record Volume 168, Number 45 (Monday, March 14, 2022)]
[Senate]
[Pages S1149-S1150]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




          CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE

  Mr. WARNER. Madam President, I rise today in support of the Cyber 
Incident Reporting for Critical Infrastructure Act of 2022, which is 
included as division Y in the Senate amendment to H.R. 2471, the 
Consolidated Appropriations Act of 2022. Cyber attacks and ransomware 
attacks are a serious national security threat that have affected 
everything from our energy sector to the Federal Government and 
Americans' own sensitive information. The SolarWinds breach 
demonstrated how broad the ripple effects of these attacks can be, 
affecting hundreds or even thousands of entities connected to the 
initial target. As cyber and ransomware attacks continue to increase, 
the Federal Government must be able to quickly coordinate a response 
and hold bad actors accountable.
  Especially now, as the threat of Russian cyber attacks looms in light 
of Putin's horrific invasion of Ukraine, we shouldn't be relying on 
voluntary reporting to protect our crucial infrastructure. The Federal 
Government needs to know when vital sectors of our economy are affected 
by a breach so that the full resources of the Federal Government can be 
mobilized to respond and mitigate their impacts.
  This bipartisan bill will take significant steps to strengthen 
cybersecurity protections, ensure that CISA is at the forefront of our 
Nation's response to serious breaches, and most importantly, require 
timely reporting of these attacks to the Federal Government so that we 
can better prevent future incidents and hold attackers accountable.
  The plain text of the statute makes Congress' intent clear: although 
the reports themselves--and any ``communication[s], document[s], 
material[s], or other record[s] created for the sole purpose of 
preparing, drafting or submitting'' those reports--may not be received 
in evidence, the FBI and other law enforcement entities nevertheless 
may, as appropriate,

[[Page S1150]]

make use of reported information in their investigations of a cyber 
incident. In other words, the FBI cannot attach the report filed with 
CISA in a warrant application or submit it in evidence in a trial but, 
if provided information from reports under the process outlined in the 
statute, may as appropriate use information contained in the reports 
and derived from them for a range of purposes, including getting a 
warrant and prosecuting bad actors. Further, this statute also is not 
intended to prohibit or discourage entities from reporting to CISA and 
law enforcement concurrently.
  The language of this bill makes clear that the information may be 
used for cybersecurity or investigative purposes. Section 2245 clearly 
states that reports submitted to CISA under this provision can be used 
for ``the purpose of preventing, investigating, disrupting, or 
prosecuting an offense arising out of a cyber incident reported 
pursuant to [the bill's requirements or voluntary provisions].'' Nor 
are facts developed during an FBI investigation of the relevant cyber 
incident using other authorities, including similar facts that may also 
have been disclosed to the Federal Government in the report to CISA, 
``communication[s], document[s], material[s], or other record[s]'' 
subject to the evidentiary restrictions in 2245(c)(3).
  Such actions by the FBI to hold accountable, disrupt, or deter 
perpetrators of cyber attacks are consistent with our goal of 
encouraging entities to disclose cyber incidents to CISA, which will 
share the information appropriately with other Federal agencies. As 
stakeholders work through the rulemaking process, we look forward to 
working with them to ensure that congressional intent is not 
misinterpreted and that this legislation is implemented as intended.
  This balance ensures both that entities are encouraged to and feel 
protected in disclosing cyber incidents and that law enforcement 
agencies may make full use of evidence, gathered through a variety of 
means, needed to detect, disrupt, and deter perpetrators of attacks.

                          ____________________