As the partisan divide in Washington widens during this 116th Congress, the prospects of enacting any meaningful legislation that bolsters the nation’s cybersecurity seem, at first blush, dim. Of the nearly 300 pieces of legislation that touch on some aspect of cybersecurity, or more urgently, election security, introduced since the current Congress began last year, only nine have become law. Most were budget-related measures that appropriated or increased funds for federal agencies to spend on cybersecurity or election security as part of the fiscal 2020 spending deal passed in December.
Now, roughly halfway through the current Congress, it’s time to take stock and review where things stand in the legislative arena. A number of bills have been passed by either the House or the Senate and are awaiting further action. They are worth watching in 2020 because they have progressed the farthest and arguably might come closest to gaining some momentum toward passage.
House-passed cybersecurity legislation
Notable pieces of digital security-related bills that the House has passed include:
- R. 3710 - Cybersecurity Vulnerability Remediation Act: This bill was passed by the House in September and is now before the Senate Homeland Security and Governmental Affairs Committee, which has taken no action yet. The bill would allow the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) to issue protocols to mitigate vulnerabilities, and would allow the Science and Technology Directorate of the Department of Homeland Security to establish an incentive program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities.
- R.2331 - SBA Cyber Awareness Act and H.R.1649 - Small Business Development Center Cyber Training Act of 2019: Both bills passed the House on July 15. The SBA Cyber Awareness Act addresses the cybersecurity of the Small Business Administration (SBA). It requires the SBA to report annually to Congress on SBA’s IT technology and any necessary improvements the agency’s technology infrastructure may need. It also requires SBA to provide an account of its IT equipment or interconnected system or subsystem of equipment manufactured by an entity that has its principal place of business in the People's Republic of China.
The annual report must further provide accounts of any cybersecurity incident SBA has encountered during the previous two years and how the government agency dealt with the incidents. The Small Business Development Center Cyber Training Act requires the SBA to establish a program for certifying that at least 5% or 10% of the total number of employees of a small business development center provide cybersecurity planning assistance to small businesses. Both bills have companion legislation in the Senate sponsored by Sen. Marco Rubio (R-FL) who chairs the Senate Small Business Committee and are awaiting votes by the full Senate.
- R. 328 - Hack Your State Department Act: This bill was one of the first cybersecurity measures passed by the House during the 116th Congress, enacted last January and quickly referred to the Senate where companion legislation was introduced on June 12. It requires the “Secretary of State to design and establish a Vulnerability Disclosure Process (VDP) to improve Department of State cybersecurity” and mandates a bug bounty program “to identify and report vulnerabilities of internet-facing information technology of the Department of State.”
- R. 1 - For the People Act of 2019: The first bill introduced in the new Congress was passed by the House on March 8. Among other things, this sweeping piece of legislation “sets forth provisions related to election security, including sharing intelligence information with state election officials, protecting the security of the voter rolls, supporting states in securing their election systems, developing a national strategy to protect the security and integrity of U.S. democratic institutions, establishing in the legislative branch the National Commission to Protect United States Democratic Institutions.”
A companion bill in the Senate, S 949, was introduced in March. Of all the cybersecurity-related bills passed by the House, H.R. 1 is least likely to gain momentum in the Senate given stiff resistance by Majority Leader Mitch McConnell (R-KY), who has vowed to never bring what he perceives as overly progressive legislation to the Senate floor.
Senate-passed cybersecurity legislation
Some of the prominent pieces of information security-related legislation passed by the Senate and awaiting House action include:
- 333 - National Cybersecurity Preparedness Consortium Act of 2019: Passed by the Senate on November 21 and referred to the House Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation on December 4, the bill allows the Department of Homeland Security to work together with a consortium composed of nonprofit entities to develop, update, and deliver cybersecurity training in support of homeland security.
- 1846 - State and Local Government Cybersecurity Act of 2019: Passed by the Senate on November 21 and referred to the House Committee on Homeland Security, and the Committees on Oversight and Reform, and Energy and Commerce on November 26, the bill authorizes the Homeland Security secretary to make grants to and enter into cooperative agreements or contracts with states, local, tribal, and territorial governments, and other non-federal entities, that the secretary determines necessary regarding cyber threat indicators, defensive measures and cybersecurity technologies, cybersecurity risks, incidents, analysis, and warnings.
- 406 - Federal Rotational Cyber Workforce Program Act of 2019: Passed by the Senate on April 30, 2019 and considered by the House Committee on Oversight and Reform, which has already held one markup session, the bill permits certain government agency employees to detail among rotational cyber workforce positions at other agencies.
Cybersecurity legislation in committee
A number of bills have been introduced or moved in either House or Senate committees and are likely candidates for further movement once Congress rolls up its sleeves after recess ends. Among them are:
- R. 3941 - The Federal Risk Authorization and Management Program (FedRAMP) Authorization Act: Introduced by the House on July 24, 2019 with the House Oversight and Reform Committee holding a markup session on December 19, 2019, this legislation is now ready for full House consideration. The bill establishes the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration. FedRAMP is a risk management, authorization, and continuous monitoring process to enable the Federal Government to leverage cloud computing services using a risk-based approach consistent with the Federal Information Security Modernization Act of 2014 and cloud-based operations. It also allocates $20 million for the initiative.
- R.1668 - IoT Cybersecurity Improvement Act of 2019: Introduced on March 11, 2019, the bill was approved by the House Committee on Oversight and Reform and is awaiting action by the Committee on Science, Space, and Technology. On the Senate side, the companion bill (S.734) has been approved by the Homeland Security and Governmental Affairs Committee and is sitting on the Senate legislative calendar. The bill would give the National Institute of Standards and Technology (NIST) the authority for managing internet-of-things (IoT) cybersecurity risks for devices acquired by the federal government.
- R.4237 - Advancing Cybersecurity Diagnostics and Mitigation Act: Introduced in the House on September 6, 2019 and passed by the Committee on Homeland Security in October, the bill is awaiting consideration by the House Oversight and Reform Committee. The legislation’s Senate Companion (S. 2318) has yet to be considered or amended by the Homeland Security and Governmental Affairs Committee. The bill authorizes the Secretary of Homeland Security to establish a continuous diagnostics and mitigation program in the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.
- R.739 - Cyber Diplomacy Act of 2019: Introduced on January 24, 2019, and passed by the House Committee on Foreign Affairs in March, the bill has not received a vote on the floor of the House nor does it have a Senate companion. Among other provisions, the bill would establish the Office of International Cyberspace Policy at the State Department and seeks to establish accepted norms for responsible country behavior in cyberspace.
- 3033 - K-12 Cybersecurity Act of 2019: This bill was introduced in the Senate Homeland Security and Government Affairs Committee shortly before recess on December 12, 2019 and is a response to the rash of ransomware attacks on government institutions and schools during 2019. It calls for DHS to create a set of guidelines to help schools improve their cybersecurity posture to better ward off these attacks.
Hot cybersecurity topics
Aside from the formal measures introduced in or passed by the House or Senate, a number of hot topic cybersecurity issues are emerging as key subject areas for new legislation or at least high-level Congressional debate during 2020.
- Election security: Despite an additional $425 million authorized by Congress to strengthen election security at the state level as part of appropriations bills passed in December, Democrats believe Congress hasn’t done enough to protect the country while the presidential election year moves into full swing. Senator Ron Johnson (R-WI), Chairman of the Senate Homeland Security and Governmental Affairs Committee, said he plans to hold hearings on the topic in 2020. House Administration Committee Chairwoman Zoe Lofgren might hold oversight hearings on the topic early in the year.
- Ransomware threats: 2019 saw a rash of ransomware attacks that crippled the city governments of Baltimore, Pensacola and New Orleans along with a number of other municipalities in the U.S. Although two bills have been introduced to help local governments deal with this growing concern, the State and Local Government Cybersecurity Act of 2019 and the K-12 Cybersecurity Act of 2019, it’s likely that lawmakers will focus additional attention on these threats, particularly if more high-profile government ransomware attacks occur.
- Foreign apps: As fears of supply chain threats ramp up in the U.S., with notable bans implemented by the Trump Administration on Chinese tech companies such as Huawei, a new avenue of concern has opened up regarding popular consumer apps that originate outside the U.S. The U.S. Navy and Army have already banned their personnel from using Chinese viral video app TikTok on government issued phones. New reports indicate that popular Middle Eastern app ToTok is being used as spyware for the government of the United Arab Emirates, sparking some lawmakers to express concern over the national security implications of the app.
- DHS subpoena power: The DHS has floated a legislative proposal to give it subpoena power to speed up CISA's ability to interact with critical infrastructure companies that are the targets of foreign cyberattacks. The administrative subpoena power that DHS seeks would require ISPs to turn over information on equipment owners for which CISA has IP addresses so that the agency can contact them about the threats.
Another development worth watching as Congress returns from recess is the emergence of a federal strategy for defending the U.S. government against cyberattacks that lawmakers say could be finalized as early as March. The strategy flows from a commission created after the passage of the 2018 National Defense Authorization Act and a draft version of the commission’s report is already circulating among lawmakers. The report will focus on protecting federal assets from cyberattacks but could prove useful to state and local government, too.