New global “policy regimes” embracing cybersecurity incident reporting are a “potentially appropriate tool to provide greater visibility” into cyberattacks -- if “carefully crafted,” said the Information Technology Industry Council Monday. It urged policymakers to heed new recommendations “on limiting incident reporting to confirmed or verified incidents.” ITI asked security authorities to craft policies that “allow for at least a 72-hour reporting window after an entity has verified an incident” and to limit incident reporting “to confirmed or verified incidents.” Effective reporting regimes also need to “establish or maintain appropriate liability protections and ensure information provided is exempt from public disclosure,” said ITI. It seeks measures that “ensure confidentiality and appropriate protections around sensitive information shared with or by competent authorities within the government, including against regulatory use.” Senate Homeland Security Committee Chairman Gary Peters, D-Mich., hopes soon to introduce bipartisan legislation that would require critical infrastructure owners and operators to report “significant” cyberattacks (see 2109230065).

Congress “may not” be able to pass before the end of the week the bipartisan Infrastructure Investment and Jobs Act (HR-3684), Build Back Better Act budget reconciliation package and a continuing resolution to fund the FCC and other federal agencies past Thursday (HR-5305), President Joe Biden told reporters Monday. The House began debate Monday on HR-3684, which includes $65 billion for broadband but won’t vote on it until Thursday. The House Budget Committee voted 20-17 Saturday to advance the Build Back Better Act, which includes $10 billion for next-generation 911, $4 billion for the FCC Emergency Connectivity Fund and language to authorize an FCC auction of at least 200 MHz of the 3.1-3.45 GHz band (see 2109140063). The Senate was to have voted Monday night on invoking cloture on the House-passed HR-5305; Republicans were expected to have voted against the CR because it includes language to suspend the debt ceiling until Dec. 16, 2022. HR-5305 would allocate $77.6 million for the Department of Health and Human Services’ Substance Abuse and Mental Health Administration to implement tech upgrades to 988 suicide prevention hotline call centers (see 2109240070).

Senate Consumer Protection Subcommittee Chairman Richard Blumenthal, D-Conn., urged the FCC to “take action to strengthen our anti-robocall laws, require carriers to block illegal marketing, and bring enforcement actions against the culprits and enablers.” He cited “the drastic increase in unsolicited text messages” in July, totaling 7.1 billion, and the estimated 5.74 billion robocalls consumers received then. “I encourage the FCC to move forward to require more telephone carriers” to implement anti-robocall actions mandated in the 2019 Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (Traced) Act, including the secure telephone identity revisited (Stir) and signature-based handling of asserted information using tokens (Shaken) protocol, Blumenthal said Friday in a letter to acting FCC Chairwoman Jessica Rosenworcel. “While I appreciate that some smaller carriers may require additional help to upgrade their networks, the FCC’s current timetable means that consumers may not see full relief from robocalls until June 2023.” Rosenworcel “shares [Blumenthal’s] desire to put an end to the consumer plague of unwanted robocalls and texts,” a spokesperson emailed. “We are reviewing the letter and its recommendations.”

The Senate Commerce Committee plans a privacy hearing Wednesday at 10 a.m. in 253 Russell, Chair Maria Cantwell, D-Wash., announced. The focus is consumer privacy rights, FTC resources, the potential for a new privacy bureau and federal privacy legislation. Witnesses are ex-FTC Commissioner Maureen Ohlhausen, now at Baker Botts; ex-FTC Consumer Protection Bureau Director David Vladeck, now at Georgetown Law; ex-FTC Chief Technologist Ashkan Soltani, now an independent researcher; and ACT|The App Association President Morgan Reed. The Consumer Protection Subcommittee set a hearing Thursday at 10:30 a.m. on Facebook, Instagram and kids’ mental health. Facebook Global Head of Safety Antigone Davis will testify.

The Senate plans a Monday night vote to invoke cloture on a House-passed continuing resolution to extend funding for the FCC and other federal agencies through Dec. 3 (HR-5305). The government will shut Thursday night unless the CR’s enacted. HR-5305 includes $77.6 million for the Department of Health and Human Services’ Substance Abuse and Mental Health Administration to implement tech upgrades to 988 suicide prevention hotline call centers, which the White House sought in its CR recommendations (see 2109070055).

The House passed the FY 2022 National Defense Authorization Act (HR-4350) Thursday 316-113, after okaying telecom and tech-related amendments. The chamber approved 360-66 an en bloc amendment containing language from Rep. Tim Walberg, R-Mich., to attach his Promoting U.S. Wireless Leadership Act (HR-3003). Lawmakers voted 362-59 for another amendments package that includes text from Rep. Tom Malinowski, D-N.J., to prohibit agencies requiring tech companies to add backdoors. It approved 367-59 a package including a proposal from Rep. Debbie Lesko, R-Ariz., for a report on the feasibility of an interagency U.S.-Taiwan working group to cooperate on chips. An earlier House-cleared amendments package included the text of the 911 Supporting Accurate Views of Emergency Services Act (HR-2351) and requires the State Department to report to Congress on the “national security implications” of open radio access networks (see 2109220069). Senate Armed Services Committee leaders last week filed their FY 2022 NDAA version (S-2792); the panel advanced the measure in July.

Senate legislation introduced Thursday would require agencies to publish congressionally mandated reports. Introduced by Senate Homeland Security Committee ranking member Rob Portman, R-Ohio, and Senate Rules Committee Chair Amy Klobuchar, D-Minn., the Access to Congressionally Mandated Reports Act would require agencies to submit the reports to the Government Publishing Office “after each agency redacts information that would not be publicly disclosable under the Freedom of Information Act.” The GPO would publish the documents. Homeland Security Committee Chairman Gary Peters, D-Mich., and Sen. Maggie Hassan, D-N.H., co-sponsored the legislation. A similar bill (HR-2485) passed the House on July 26.

The Senate Judiciary Committee advanced by voice vote Thursday legislation that would strengthen the right of state attorneys general to litigate antitrust cases in courts of their choosing. S-1787, the State Antitrust Enforcement Venue Act (see 2109150054), would strengthen AG discretion over defendants seeking to move cases to preferred venues. The House Judiciary Committee in June passed companion legislation from House Antitrust Subcommittee Chairman David Cicilline, D-R.I., and ranking member Ken Buck, R-Colo. (see 2106240071). The bill “will allow for more efficient and effective antitrust enforcement by state attorneys general, which is good for competition and consumers,” said Senate Antitrust Subcommittee Chair Amy Klobuchar, D-Minn., in a statement. The bill “will give a much-needed boost to State antitrust enforcement actions, and will respect States’ sovereignty in their efforts to protect their citizens from abusive monopolists,” said ranking member Mike Lee, R-Utah, who co-authored the plan.

Senate Homeland Security Committee Chairman Gary Peters, D-Mich., hopes soon to introduce legislation with ranking member Rob Portman, R-Ohio, that would require critical infrastructure owners and operators to report “significant” cyberattacks, Peters said during a hearing Thursday. The bill would require entities to report incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Accountability on who’s in charge will be an important element, said Portman: “Cyber reporting legislation might better inform that strategy. I think we can get that right. I think we can get a bipartisan product.” Senate Intelligence Committee Chairman Mark Warner, D-Va., said previously he and co-authors of his own legislation were in conversations with Peters and Portman (see 2108020033). It’s long past time to pass cyber incident reporting legislation, testified CISA Director Jen Easterly: The bill would allow CISA to aid victims directly and share information across sectors. The information would be “profoundly useful” for determining strategy and informing investments, said National Cyber Director Chris Inglis. OMB Federal Chief Information Security Officer Christopher DeRusha said it’s important to have a universal standard rather than a state patchwork.

The FCC “should fully describe available public comment data, including what data elements mean and any limitations, to external users of the data,” GAO recommended Thursday. Its report urged nine other federal entities better describe collected comment data. House Commerce Committee Chairman Frank Pallone, D-N.J., was among lawmakers who sought the review. It partly focused on FCC comment processes ahead of its 2017 vote to rescind 2015 net neutrality rules (see 1710130052). GAO said last year the FCC made progress addressing electronic comment filing system (ECFS) security vulnerabilities and needs to do more (see 2004240029). ECFS in 2017 “allowed commenters to use a file-sharing website to submit bulk files of comments using a specific template,” GAO said now. The agency “maintained a submission time stamp, the email address entered by the submitter, and the file name of the attachment submitted.” That “does not conclusively identify the source of unconfirmed comments,” the report said. The FCC’s online portal doesn’t “describe potential limitations of the shared comment data,” including “variation in available data, accuracy of the data, and their importance to agencies’ rulemaking decisions,” GAO said. “Information on these limitations can be important to help external users make informed decisions.” The commission has “specific plans to improve the ways that ECFS describes the information,” via ongoing “redevelopment” (see 1909160019), commented Managing Director Mark Stephens. “The rebuilt system” will include “rewritten” user help information that will “explicitly” define “the data elements that are maintained.” The commission is rewriting its ECFS user guide to “give plain-English instruction on how to use” the interface “and ensure that the data fields are clearly described,” Stephens said. Senate Homeland Security Committee ranking member Rob Portman, R-Ohio, and Sen. Tom Carper, D-Del., welcomed the audit. “Regulations.gov and other federal agency websites used to collect comments should be secure and easy to navigate, and they should clearly inform commenters how they will use their data,” Portman said. “People who abuse the comment process by trying to overwhelm the systems or filing comments using stolen identities should be held accountable. I hope federal agencies will adopt the GAO’s recommendations and work to improve the online commenting experience.” It’s “deeply troubling that GAO’s report confirms our earlier findings that federal agencies’ websites that collect public comments about proposed regulations are susceptible to abuse by bad actors,” Carper said. “We live in a time where disinformation spreads rapidly online and, as elected officials, we have a critical responsibility to ensure transparency and integrity.”