With a lame duck session pending, Congress may address a number of cybersecurity and data security issues before the end of the calendar year. Since it passed the “Cybersecurity Act of 2015,” Congress has been addressing cybersecurity issues in a piecemeal fashion rather than crafting major legislation. While it is highly unlikely that Congress would legislate on a national data security standard or privacy regime — particularly in light of the Democrats flipping the House — a number of bills could move now that the mid-term elections are behind us. Here, I provide a summary of the most significant of the cybersecurity-related bills that Congress could grab off the shelf during the lame duck.
To date, Congress has passed a number of cyber-related bills the president has signed into law. For example, the “John S. McCain National Defense Authorization Act for Fiscal Year 2019” is replete with defense-oriented cybersecurity and supply chain provisions, including language restricting the federal government’s use of Huawei and ZTE products and services. Congress also passed a relatively minor cybersecurity bill, the “NIST Small Business Cybersecurity Act” (S.770), which directs the National Institute of Standards and Technology (NIST) to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”
Just this week, the House sent a bill to the White House that would reorganize and rename the National Protection and Programs Directorate (NPPD). The Senate pinged its version of the “Cybersecurity and Infrastructure Security Agency Act of 2018” (H.R. 3359) to the House in early October, and the House agreed to this bill by unanimous consent on November 13. This bill would establish a new agency, the Cybersecurity and Infrastructure Security Agency, within the Department of Homeland Security (DHS) that combines NPPD with other existing DHS components. The new agency would be led by a Senate-confirmed director and consist of a Cybersecurity Division, an Infrastructure Division, and an Emergency Communications Division.
However, other bills could pass in the current lame duck session. In September, the House passed four cyber-related bills that demonstrate the scope of bills more likely to be enacted provided the Senate takes up these bills:
- The “Securing the Homeland Security Supply Chain Act of 2018” (H.R. 6430), which would provide the Secretary with discretionary authority to exclude IT supply chain sources based on a risk analysis, and if a source is excluded, the entity would have almost no recourse to challenge such a finding in federal court or with the Government Accountability Office (GAO). The Senate Homeland Security Committee marked up a related bill, the “Federal Acquisition Supply Chain Security Act of 2018” (S. 3085). These bills are discussed in greater detail below.
- The “Advancing Cybersecurity Diagnostics and Mitigation Act” (H.R. 6443), which “codifies and defines the activities of the continuous diagnostics and mitigation (CDM) program at [DHS]…[and] requires the Secretary of Homeland Security to deploy, operate, and maintain the CDM program, developing and providing capabilities to collect, analyze, and visualize information related to security data and cybersecurity risk.” This bill is fairly anodyne and would largely codify what DHS is already doing. Therefore, prospects of enactment are good.
- The “Department of Homeland Security Chief Data Officer Authorization Act” (H.R. 6447), which would “establish the position of Chief Data Officer of the [DHS]…[who] is responsible for overseeing data management and analytics efforts at the Department and serves as the liaison with other federal agencies regarding the use of Department data.” This bill is also non-controversial and could move in the lame duck.
- The “Cyber Deterrence and Response Act of 2018” (H.R. 5576), which “requires the president to designate as a ‘critical cyber threat actor’ each foreign person or agency of a foreign state that the president determines is responsible for state-sponsored cyber activities that pose a significant threat to the national security, foreign policy, economic health or financial stability of the United States” according to outgoing House Foreign Affairs Committee Chairman Ed Royce (R-Calif.). This bill faces executive branch opposition because the White House sees the bill as Congress impinging on the president’s ability to conduct foreign policy. Therefore, the White House has already weighed in with Senate Republican leadership, and consequently, it is unlikely this bill comes to the Senate floor.
Below are other cybersecurity areas Congress could legislate upon before the end of the current session.
The House Homeland Security Committee marked up and reported out a bill that would give the DHS Secretary the authority to exclude risky contractors and subcontractors from the DHS supply chain for IT, telecommunications, hardware, and software if a source is found to be not be responsible. Likewise, the secretary could direct a contractor not to use a subcontractor also found not to be responsible. As noted earlier, the House passed this bill H.R. 6430 earlier this month. However, the Senate Homeland Security Committee marked up a broader bill designed to confer the same authority on all agencies that tracks with a bill the Trump administration sent up to the Hill.
The House’s bill is narrowly targeted at DHS and covers IT, cloud services, and telecommunications equipment and services. The companion bill in the Senate, the “Federal Acquisition Supply Chain Security Act of 2018” (S. 3085), is broader and would provide all federal agencies with the authority to exclude supply chain risk. This bill was marked up in committee in late September but has not yet been brought to the floor. Before the election, the fact that one of the primary sponsors, Senate Homeland Security Committee Ranking Member Claire McCaskill (D-MO), was running for reelection in a state President Donald Trump carried in 2016 may have contributed to Senate Republican leadership not acting on a bill with bipartisan sponsorship and the support of the White House. Post-election — now that Republicans are not worried about providing credit to co-sponsor, Sen. Claire McCaskill (D-Mo.) — the Senate could take up this bill to safeguard the federal government’s IT supply chain from threats posed principally from technology and software sourced from the People’s Republic of China (PRC).
In August, the Senate Rules Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from cyber interference, the “Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision had already been softened at the insistence of Senate Republican leadership. Yet, a White House spokesperson indicated in a statement that the administration opposed the bill, posing an additional obstacle. However, even if the Senate were to pass this bill, it seems unlikely the House would consider companion legislation (H.R.6663).
The managers amendment for S. 2593 posted on the Senate Rules Committee website was characterized by a compromise package acceptable to committee leadership on both sides of the aisle. This bill would sweep widely with respect to the types of technology and systems covered to encompass virtually everything connected to election systems. Likewise, the sorts of cyber incidents considered relevant for purposes of triggering reporting and information sharing responsibilities is also very broad.. Election agencies (a term defined to include all state and local entities with a responsibility for administering federal elections) would be required to share any information about possible election-related cyber incident with appropriate state and DHS officials. DHS would likewise need to establish a communication protocol and information sharing regime for sharing election related cyber threat information with the appropriate federal, state, and local officials.
The bill would also amend the “Help America Vote Act” (P.L. 107-252) to require states to establish “a response and communication plan with respect to election cybersecurity incidents” as a condition of receiving funds under the act. States and local jurisdictions would be required to conduct audits of federal elections starting with the 2020 election. The bill would also require the purchase of voting machinery and systems capable of producing paper ballots should such acquisitions be made using funds provided under the Help America Vote Act.
Despite preliminary reports of possible efforts by Russia and other foreign powers (none of which are conclusive) to mount cyber interference with the mid-terms, it is very unlikely this bill passes in this Congress. House Democrats may take up the bill in the next Congress, but it would likely die in the Senate in light of White House opposition.
Internet of Things (IoT)
Internet of Things devices are becoming commonplace in American homes thanks to internet-connected appliances such as smart refrigerators. They also pose a security risk as the government purchases more internet-connected devices. Lawmakers have been grappling with how to address the growing threat to federal infrastructure posed by insecure IoT devices. The easiest path to legislating probably follows much of the road taken with respect to cybersecurity owned and operated by the private sector: voluntary compliance with multi-stakeholder standards and information sharing.
In August 2017, Senators Mark Warner (D-Va.), Cory Gardner (R-Colo.), Ron Wyden (D-Ore.), and Steve Daines (R-Mont.) introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) that would require federal agencies to use contract clauses to ensure the security of IoT devices sold to or used by the government by placing the onus on federal contractors to vouch for the security and correction of vulnerabilities of these devices. If enacted as drafted, the bill may drive the development and proliferation of industry practices to secure and patch IoT in the private sector as well because the federal government is one of the biggest buyers of goods and services.
Also in August 2017, the Senate passed the “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S. 88) that would task with Department of Commerce (Commerce), Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), and other federal stakeholders with generating recommendations and a report to Congress on how the federal government can best foster the growth of the IoT. However, the House has not yet acted on either companion legislation, H.R. 686, or the Senate-passed bill.
A different IoT bill has been reported out of the House Energy and Commerce Committee in July 2018. The “State of Modern Application, Research, and Trends of IoT Act” (SMART IoT Act) (H.R. 6032) would direct Commerce to study private sector voluntary IoT standards and federal government jurisdiction over IoT. Then a report would be submitted to Congress on the findings, presumably as a predicate for possible federal legislation.
Congress and policymakers are still trying to educate themselves on IoT and the issues and implications posed by widespread use. It is unlikely that Congress would choose to enact the IoT Cybersecurity Improvement Act, which would require the federal government to wade into the issue more deeply than some in Congress would be comfortable with at present. It is far more likely that Congress takes the half a loaf approach and passes either the DIGIT Act and/or the SMART IoT Act, both of which would task federal agencies with studying IoT issues and making recommendations.
There are a few other cybersecurity bills that could come into play during the lame duck session.
Partly in response to the WannaCry ransomware attacks that were made possible through a Microsoft vulnerability stolen from the National Security Agency (NSA), the “Protecting our Ability To Counter Hacking (PATCH) Act” (S. 1157/H.R. 2481) would codify how the government decides which zero day exploits and other vulnerabilities should be shared with the private sector. After this bill was introduced, the White House released the Vulnerabilities Equities Process (VEP) Charter, which governs how the “Federal Government will handle the process that determines whether the Government will notify a private company about a cybersecurity flaw in its product or service or refrain from disclosing the flaw so it can be used for operational or intelligence-gathering purposes.” Given the Trump administration’s action, it is not likely Congress acts on this legislation despite problems with the Charter, including that the document is not an executive order and is merely and interagency agreement on the process to be used. The VEP Charter may have sapped the political will to pass the PATCH Act, but it carries less force, permanence, and predictability than an enacted law, and could theoretically be ignored or discarded in certain cases.
Another pending bill is the “Email Privacy Act” (H.R. 387/S. 1654). Broadly speaking, the “Email Privacy Act” would regularize the varied treatment of electronic communications such as email that depends largely on the status and location of the communications. Despite repeated passage by the House in recent years, some stakeholders in the Senate have tried to add provisions that critics claim would ultimately degrade the privacy of Americans. Notably, in a Senate Judiciary Committee markup, amendments were offered that would have expanded the government’s use of National Security Letters, an administrative subpoena used to obtain electronic communications and financial records. It is unlikely this bill gets passed in the lame duck session.
If Congress moves on cybersecurity legislation in the lame duck session, it will likely be on smaller caliber bills. Moreover, action may not occur until the very end of the lame duck, which could be in December. It is possible that Congress will address some of the major cyber-related issues in the next Congress, but with a Congress divided between Republicans and Democrats, major cyber legislation may again stall.