How Congress could handle cybersecurity-focused bills in 2018

As the year begins anew for Congress, lawmakers face a daunting legislative list that includes decisions on a number of cybersecurity-focused items.

CyberScoop polled a half-dozen people who work on cybersecurity policy issues to come up with a verdict on each piece of possible legislation — and get their broader take on the possibilities for cyber law-making in 2018.

The experts looked at the following bills:

• A new DHS cyber agency: H.R. 3359, passed by voice vote in the House in December, is awaiting action by the Senate Homeland Security and Governmental Affairs Committee.
• Election cybersecurity: S. 2261, introduced in December with bipartisan support, and referred to the Rules and Administration Committee. A companion bill in the House, H.R. 3751, was referred both to the Administration and Intelligence committees.
• Internet of Things security standards: S. 1691 was introduced in August and referred to the Senate Homeland Security and Governmental Affairs Committee. Companion legislation is promised in the House.
• Data breach notification requirements. S. 2179 was introduced by Democrats on the Senate Commerce Committee, to which it was referred. In the House, Republicans on the Financial Service Committee have reached out to industry.

Several observers noted that a congressional year shortened by midterm elections leaves little time to resolve complex policy or jurisdiction issues.

Daniel Castro, vice president of the Information Technology and Innovation Foundation, was among the most downbeat, highlighting the absence of action on significant cybersecurity bills in 2017.

“If the major cybersecurity incidents we experienced last year could not spur Congress to act, it is unlikely that we will see much progress in the coming year,” he said. “The outlook for cybersecurity legislation is grim.”

Part of the problem, explained Larry Clinton, president of the Internet Security Alliance, is that there is often a disconnect between how serious the issue is and how well it’s understood.

“These [four] issues are at different levels of maturity [in terms of policy makers’ understanding] and represent different levels of risk and those don’t necessarily match up,” he said. “It’s going to be tough.”

Others were more sanguine. “All these pieces of legislation have favorable winds behind them and considerable challenges ahead,” said Andrew Howell, a government relations specialist and partner at the Monument Policy Group.

Some of the most important problems these bills face are political, observers say — be it due to political partisanship or the institutional conflicts that shape so much of Congress. Both kinds are likely to reach a boiling point ahead of the 2018 midterm elections.

DHS cyber agency

A bill passed Dec. 11 by the House, would reorganize DHS’s National Protection and Programs Directorate (NPPD) — the office responsible for protecting the nation’s vital industries from both online and physical attacks. The bill would rename NPPD as the Cybersecurity and Infrastructure Security Agency (CISA) and make its current undersecretary a director. It enjoys support from both sides of the aisle, as well as the White House.

The bill was narrowly drawn to avoid jurisdictional battles between the many committees that oversee DHS. Senate committee Chairman Ron Johnson, R-Wis., wants to tweak the House bill before he takes it up “early next year” according to Inside Cybersecurity. Committee spokesperson Brittni Palke told CyberScoop that the committee “continues to review legislation as it relates to NPPD.”

“There’s no one opposed [to the reorganization], it’s the right thing to do, it shows [the committee] are taking their oversight responsibilities seriously and frankly stakes out some jurisdiction for them — it’s a win-win all around,” said one cybersecurity industry lobbyist.

Clinton said the topic was comparatively well-understood among lawmakers. “That [NPPD reorganization] plan has been kicking around a couple of years. … It’s a mature issue.”

“You need an organization that knows and communicates very clearly to all its stakeholders what it is, what it does, and what it wants to be when it grows up,” said Howell. “I think this bill will find a way forward,” he went on, but he added one caveat.

Johnson has long harbored a wish to pass an annual policy bill for DHS, much like the Armed Services and Intelligence committees do for the Department of Defense and the intelligence community. The DHS effort has stumbled repeatedly — there’s never been a reauthorization bill for the department in its 14-year history — because of jurisdictional friction between the many oversight committees.

By congressional tradition, any reorganization of DHS — which was established by statute — “should … be part of a reauthorization process,” Howell said. If lawmakers who want to make changes at DHS “see individual bills start to pass,” others might try to follow suit. As an example, he cited Senate Commerce Committee members who’ve drafted a bill to reauthorize the Transportation Security Administration. If bills start to move “piecemeal,” he asked, “Does that doom the larger reauthorization effort?”

“It’s all down to how Johnson wants to manage the broader process of legislating DHS,” he concluded.

The expert verdict: More likely than not to become law

Election cybersecurity

A bipartisan group of senators last week introduced a bill to boost the online defenses of America’s voting systems, after Russian hackers probed election officials’ IT networks in 2016. The Secure Elections Act would mandate DHS to share more information with state and local elections officials about threats to their IT systems or voting machines. The bill also would set up an expert panel to draft voluntary risk-management guidelines and best practices state and local agencies can use. Finally, it would authorize a $386 million grant program to help states to implement these guidelines and replace outdated electronic voting machines.

The bill is “top of mind” because of continuing concerns about Russian efforts to disrupt elections, said Howell. “You have among state and local election officials a constituency that wants to be seen helping to enhance the integrity of the vote.”

In the House, there may be other problems. An earlier version of similar legislation, H.R. 3751,  backed by Reps. Mark Meadows, R-Ill., and Jim Langevin, D-R.I., was referred both to the Administration and Intelligence committees.

The big question mark is how the White House views the bill, according to Howell. President Donald Trump’s “attitude appears to be that he regards any talk of Russian hacking as questioning the legitimacy of his election victory.”

White House opposition — even just behind the scenes — would make it unlikely that the bill can pass, observers said.

Verdict: A 50-50 proposition, depending on the attitude of the White House

IoT cybersecurity standards

A bipartisan bill in the Senate would lay down certain minimal security practices as a requirement for any company wanting to sell Internet-connected devices to the federal government. Significantly, the IoT Cybersecurity Improvement Act of 2017 enjoys strong backing from the cybersecurity industry, as well as the wider tech sector.

A companion bill is expected in the House, sponsored by Reps. Will Hurd, R-Texas, and Robin Kelly, D-Ill., but there seems to be little appetite among GOP lawmakers, especially in the House, for anything that looks like new regulations.

Clinton said IoT was an example of an issue where there’s a big disconnect between “the level of maturity of the issue and the level of risk.”

“Broad IoT legislation isn’t practical in the current Congress,” he said, which was why the bill’s authors had narrowed its focus to federal procurement. But that should be seen as just a first step. “The concern is, that [if the bill passes], Congress then says ‘OK, we’ve done IoT security,’ and moves on … You can’t just leave it there.”

An executive for an industry association cautioned that the number of stakeholders involved in IoT policy would complicate even narrow legislation. The term IoT includes everything from $10 webcams to multimillion-dollar industrial scale deployments of sophisticated measurement tools. That means a very broad spectrum of business interests, from consumer electronics to the oil and gas sector, have a stake in legislation.

A cybersecurity industry lobbyist was more bullish on the IoT bill’s prospects, especially given its “light touch” approach of setting standards only for federal vendors. “There’s a real concern” about the weaponization of insecure IoT devices amongst knowledgeable lawmakers, the lobbyist said.

“Congress should be doing something to encourage better security standards. If the federal government doesn’t start demanding that [from its vendors], who does?”

Hurd’s role as House bill co-author is key, the lobbyist said, especially in overcoming concerns from conservatives.

“He really gets cyber and more importantly his colleagues really trust his gut on these issues. His role means the bill gets more traction.”

Verdict: Might pass in one chamber of Congress

Data breach notification requirements

Congress has been trying — and failing — for almost a decade to legislate national rules for how companies have to notify customers of a data breach.

“I’d love to believe that Congress has the will in the wake of the Equifax breach,” to pass a data breach law, the cybersecurity industry lobbyist said, “But I’ve been saying that after every big breach for almost 10 years now.”

“After each [successively worse] breach,” Clinton pointed out, “Everyone always says, ‘This will be the one,’ [to get Congress to act] and it never is.”

Previous efforts at federal legislation have stumbled over fights between retailers and card issuers about who pays to issue consumers new cards in a breach’s wake.

But a different issue threatens to derail the latest endeavor: a third-party notification requirement, which would put technology service providers, like software publishers, on the hook to notify consumers in a breach’s wake.

This issue a “deal breaker” for the tech sector, said the cybersecurity lobbyist.

“There will be no tech industry support for any bill with a third party notification requirement,” the lobbyist said. In an election year, “the political climate is such that it doesn’t encourage legislators to pick fights with wealthy industries whose support they need.”

That red line for the tech sector highlights the political sensitivities that make legislative progress so unlikely.

Data breach notification “has always been a pretty heavy lift” for Congress, said Howell. He explained that the three “most active sets of stakeholders” — retailers, card issuers and technology service providers — each had an effective veto over legislation.

“Unless all three agree on a path forward, any one of them can muster enough support to block progress” on a particular bill, he said.

Verdict: Not passing