New digital threats that could topple business, government, military and political institutions is moving cybersecurity to the top of the congressional agenda. The newly seated 116th Congress has so far seen 30 bills introduced in the House of Representatives and seven bills introduced in the Senate that directly deal with cybersecurity issues. That does not include other pieces of legislation that have at least some provisions that deal with information and digital security.
A key problem in grappling with such a complex issue as cybersecurity in Congress — and in Washington in general — is the diffused responsibility spawned by the wide-ranging, interconnected nature of the topic. Representative Jim Langevin (D-RI), a member of the Armed Services and Homeland Security Committees, and one of the founders of the Congressional Cybersecurity Caucus, flagged this stumbling block at the 2019 State of the Net conference in January by calling for consolidation in Congress over cybersecurity.
Noting that around 80 groups within the legislative branch claim some jurisdiction over cybersecurity matters, Langevin said, “We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we can’t do it under the current construct.” Langevin wants the House Homeland Security issue to take the lead on all matters related to cybersecurity.
For the time being, the multiplicity of congressional committees and subcommittees with jurisdiction over cybersecurity combined with the complexity of the topic, which bleeds into other issues such as privacy and national security, makes it difficult to gain the momentum needed to actually pass meaningful cybersecurity legislation.
To clarify the current legislative state-of-play, the following are the broad-brush arenas in which congressional action of some kind will likely occur over the next two years.
Critical infrastructure legislation
With looming threats to the nation’s water, electric, transportation and other critical infrastructure sectors, a number of bills have been introduced. They tackle protecting the essential services that many believe are outdated and ripe for exploitation by malevolent actors. Several pieces of legislation dealing with critical infrastructure that failed to pass in the last Congress have already been teed up again for possible enactment during this session.
- H.R.359 -- Enhancing Grid Security through Public-Private Partnerships Act: Representative Jerry McNerney (D-CA) introduced this bill, which “directs the Department of Energy to facilitate and encourage public-private partnerships in order to address and mitigate the physical security and cybersecurity risks of electric utilities.”
- H.R.360 — Cyber Sense Act of 2019: Introduced by Representative Robert Latta (R-OH), this bill creates a voluntary Department of Energy “Cyber Sense” program to identify and promote secure products in the bulk power system and establishes a testing and reporting process for cybersecurity vulnerabilities.
- H.R.362 -- Energy Emergency Leadership Act: Introduced by Representative Bobby Rush (D-IL), this legislation requires the Secretary of the Department of Energy to assign energy emergency and energy security functions to an Assistant Secretary, including responsibilities with respect to infrastructure and cybersecurity.
- H.R.370 — Pipeline and LNG Facility Cybersecurity Preparedness Act: Sponsored by Fred Upton (R-MI), this bill requires the Department of Energy to implement a program to ensure the security, resiliency, and survivability of natural gas pipelines, hazardous liquid pipelines, and liquefied natural gas facilities. In the Senate, Senator John Cornyn (R-TX) has introduced S.300 - a bill to require the Secretary of Energy to carry out a program relating to physical security and cybersecurity for pipelines and liquefied natural gas facilities.
- H.R.680 -- Securing Energy Infrastructure Act: Representative Dutch Ruppersberger (D-MD) introduced this bill, which allocates $10 million for a two-year program within the Department of Energy National Laboratories to identify cyber vulnerabilities in energy sector non-digital systems and to test technologies that could defend the grid against cyberattacks. On the Senate side, Senator Angus King, Jr., (I-ME) introduced the 2019 companion edition of this bill in that chamber.
Workforce cybersecurity legislation
Given that (ISC)2, the nonprofit association of certified cybersecurity professionals, estimates that there is now a shortage of almost three million cybersecurity professionals globally, it’s no surprise that the lack of cybersecurity expertise, particularly in the federal government, is a top topic for lawmakers.
- S.3437 -- The Federal Rotational Cyber Workforce Act: This bill was recently reintroduced by Senators Gary Peters (D-MI) and John Hoeven (R-ND). It would complement the 2015 Federal Cybersecurity Workforce Act by establishing a program where cybersecurity specialists within the federal government would be able to lend their expertise to whichever agency has a need. The bill would empower the Office of Personnel Management to develop an operational plan for the program and put together a list of open rotational cyber workforce positions where agencies have identified a need.
- H.R.334 -- The New Collar Jobs Act of 2019: Representative Ted Lieu (D-CA) revived his bill from the last Congress to establish an employee cybersecurity education tax credit, up to $5,000 a year per employee, for an employer who incurs costs for an employee who earns a certificate or degree at the undergraduate or graduate level or an industry-recognized certification listed in the National Initiative for Cybersecurity Education's Cybersecurity Workforce Framework. The bill also increases the bid score for companies bidding on federal government contracts if they use the tax credit. It cancels up to $25,000 in student loans for workers who paid off 36 consecutive months of those loans and hold a cybersecurity job in an economically distressed area during at least 12 months of payments.
Supply chain cybersecurity legislation
In the midst of high-profile and controversial bans on the use of foreign technology by U.S. government and military offices, it’s no surprise that legislation tackling supply chain cybersecurity threats.
- S.29 -- A bill to establish the Office of Critical Technologies and Security: Senator Mark Warner (D-VA) introduced this bill early in the new Congress. A companion bill in the House, sponsored by Representative Dutch Ruppersberger (D-MD) H.R. 681, quickly followed. The legislation proposes a new “Office of Critical Technology and Security” to coordinate technology supply chain security efforts. The office, which would report to the President, would be assigned the task of stopping “the transfer of critical emerging, foundational, and dual-use technologies to countries that pose a national security risk” and developing a “strategy to inform the private sector about critical supply chain risks.”
Election cybersecurity legislation
- H.R. 1 -- For the People Act of 2019: This was the first bill introduced in the new Congress. It was sponsored by John Sarbanes (D-MD), features a number of election security and modernization provisions, including cybersecurity standards for voting machines, an election bug bounties program, guidelines issued by the Election Assistance Commission (EAC) for states, and best practices to prevent and deter attackers. The bill also provides grants to state and local government for election security and standards for election technology vendors to receive grant money.
- H.R.52 -- the SAFETi Act: Introduced by Sheila Jackson Lee (D-TX), this bill requires the Department of Homeland Security (DHS) to submit to the Government Accountability Office (GAO) and Congress a report on actions taken by DHS relating to terrorist threats to the integrity of the 2016 federal election.
- The Global Electoral Exchange Act: Senator and presidential hopeful Amy Klobuchar (D-MN) recently reintroduced legislation from the last Congress. It would “establish an international information sharing program on election administration and security at the State Department,” enabling the U.S. to work with its international allies to strengthen election security by sharing best practices on audits, disinformation campaigns, and voter database protections–among other issues.
- H.R.598 -- the Georgia Support Act: Introduced by Representative Gerald Connolly (D-VA), this bill offers, among other things, a series of actions to assist the State of Georgia with election-related cybersecurity matters. Georgia experienced a host of cybersecurity-related problems during the 2016 presidential election and the 2018 mid-term election, including an alarming and still murky last-minute allegation of partisan hacking by the successful gubernatorial candidate. The bill offers Georgia whatever assistance may be necessary to secure government computer networks from malicious cyber intrusions, particularly such networks that defend the critical infrastructure of Georgia
Bug bounty legislation
As mentioned earlier, H.R.1 has provisions for bug bounties, but another cybersecurity bill, one that the full Congress has already passed:
- H.R.328, Hack Your State Department Act, sponsored by Representative Ted Lieu (D-CA), offers bug bounties to hackers who undergo background checks in exchange for reports about vulnerabilities in the State Department’s websites and other Internet assets. The Hack Your State Department Act follows a similar bill passed in the last Congress that established a bug bounty program for the Department of Homeland Security.
Even with this ambitious agenda, expect even more cybersecurity-related bills in the coming weeks and months. In particular, Senator Ron Wyden’s planned introduction of the Consumer Data Protection Act, is worth watching. That bill would empower the FTC to establish minimum privacy and cybersecurity standards, impose steep fines (up to 4 percent of revenues) on companies that violate privacy and security standards and even permit prison sentences for senior executives for their companies’ privacy and security violations.
Finally, Representative Langevin said he plans to reintroduce a bill he sponsored in the wake of Equifax’s massive data breach in 2017, the Personal Data Notification and Protection Act, which provides for a single national breach notification standard, giving companies 30 days to disclose any breach of consumer data.