House passes bill to formalize NTIA’s cyber role following Salt Typhoon attacks
As cyber officials work to contain Salt Typhoon inside U.S. telecom networks, the House on Monday passed a bill that would officially designate one federal agency to lead efforts in protecting the nation’s digital infrastructure from such threats.
The National Telecommunications and Information Administration Organization Act cleared the House via voice vote and is now teed up for Senate consideration — the same position the bill found itself in last year before stalling out in the upper chamber.
The legislation from Reps. Jay Obernolte, R-Calif., and Jennifer McClellan, D-Va., would rebrand the Office of Policy Analysis and Development as the Office of Policy Development and Cybersecurity, and codify the NTIA’s responsibilities to lead policy initiatives and coordinate with other agencies on cyber practices for the country’s communications networks.
“NTIA is already central to advancing market-driven strategies that foster innovation, expand broadband deployment and promote a competitive digital economy,” McClellan said. “But this legislation ensures that NTIA is equally empowered to help safeguard that digital future, particularly as the cybersecurity threats we face grow more complex and more dangerous by the day.”
The Salt Typhoon attack spree last year on major American telecommunications companies, she added, was a “sobering reminder” of the vulnerabilities that live in U.S. infrastructure and “how deeply” the fallout of cyberattacks can be felt in multiple sectors, ranging from health care to national security.
The top Democrat on the Senate Intelligence Committee last year called the far-reaching breach by the Chinese hacking group “the worst telecom hack in our nation’s history.” In interviews with CyberScoop, a half-dozen sources pointed fingers at a lack of coordination and miscommunication between federal agencies and the telecom industry.
The bill calls on NTIA to take the lead on coordinating “transparent, consensus-based, multistakeholder processes” for the development and implementation of cybersecurity and privacy policies in communications networks. Public-private partnerships would be fostered to encourage “collaboration between government agencies and stakeholders,” said Rep. Bob Latta, R-Ohio, chairman of the House Energy & Commerce Committee’s energy subcommittee.
There is also a callout in the legislation for increased collaboration between security researchers, software developers and telecoms. Collaboration will be paramount as telecoms attempt to purge the vestiges of Salt Typhoon from their networks, a feat that experts told CyberScoop will be exceedingly difficult if not impossible.
Additionally, the legislation seeks NTIA-led policies on security resilience and the pursuit of accelerated “innovation and commercialization with respect to advances in technological understanding of communications technologies,” per the bill text.
“As more and more of Americans’ lives move into a digital format, it’s leaving the information of Americans more and more vulnerable to cyberattacks,” Obernolte said. “That’s why it is critical that we establish cybersecurity protocols and capabilities to counter the threats, not just to foreign actors, but of cybercriminals and transnational criminal organizations who attempt to breach our data security and access the data of Americans.”
A separate bill that passed the House later Monday has additional cyber-related responsibilities for the NTIA and its leader, the assistant secretary for communications and information. The Understanding Cybersecurity of Mobile Networks Act would require the Commerce Department official to lead a report that examines mobile service networks’ cybersecurity and vulnerabilities that those networks and devices face from adversaries.
The legislation, co-sponsored by Reps. Greg Landsman, D-Ohio, and Kat Cammack, R-Fla., charges the NTIA chief with coordinating an interagency group to inform the report that includes experts from the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security’s Science and Technology Directorate.
That group, Landsman said, would “build out all of the information we need to ensure that we understand where all of our vulnerabilities are, that we are dealing with those vulnerabilities, where are the gaps, how our foreign adversaries are accessing data, how could they be accessing our data, and how to further our ability to stop our enemies from attacking our individual devices.”
In compiling the report, NTIA should also consult with the Federal Communications Commission, the intelligence community, privacy and encryption researchers and academics, international stakeholders, standards and technical organizations, and industry, per the bill text. The legislation also calls for an analysis of the commercially available tools that can help consumers assess networks’ cybersecurity.
“It’s a good step towards ensuring we can protect our global networks from evolving threats,” said Rep. Frank Pallone, ranking member of the House Energy & Commerce Committee. “And I know we will continue to work towards securing our country’s data, devices and networks, whether from a foreign adversary or domestic threat.”
This story was updated July 15 with details on the passing of the Understanding Cybersecurity of Mobile Networks Act.
