Legislation that would elevate the Department of Homeland Security’s cybersecurity functions may be the most likely cyber-related candidate for congressional action this year, while various panels consider big-picture issues such as international deterrence in cyberspace.
House Homeland Security Chairman Michael McCaul, R-Texas, last week reiterated that he will “soon” move a bill to create a cybersecurity agency within DHS and said he was receiving helpful “technical assistance” on the measure from a supportive Trump administration.
The measure would strengthen the government’s ability to respond to attacks and improve deterrence, McCaul said, by clarifying responsibilities and centralizing cyber functions within DHS. It has also triggered jurisdictional concerns on Capitol Hill that may still be unresolved.
Beyond that bill, sources with key industry groups say they still don’t expect much in the way of legislative action this year.
“Major cyber legislation is not on the horizon, and that’s perhaps a good thing. Industry groups are able to methodically work through issues with agency officials that are largely sector-specific and simply take time to address,” said one industry source.
But at the 30,000-foot level, congressional committees are taking a closer look at how to craft a national strategy on cybersecurity that actually deters bad actors in cyberspace.
Business groups such as the U.S. Chamber of Commerce have been pressing for the government to better spell out how it will respond to aggression against the private sector by foreign governments. Many on the business side believe companies have been left to their own devices to contend with such attacks.
The Senate Banking Committee last week pondered how sanctions might be used more effectively to deter Russian aggression in cyberspace and elsewhere.
The issue has long been a priority for Senate Armed Services Chairman John McCain, R-Ariz., who frequently criticized the Obama administration for failing to spell out more clearly how the U.S. would respond to cyber aggression. That ambiguity, McCain said, led directly to incidents such as the massive 2014 Sony Pictures hack by North Korea and other high-profile incidents.
The Armed Services Committee’s new cyber subcommittee last week held its first public hearing, focused on “cyber-enabled operations” such as those employed by Russia targeting the 2016 elections.
The Trump administration signaled early on that deterrence would be a key feature of its cybersecurity strategy.
“We will not allow other states to hold us at risk,” new White House cyber coordinator Robert Joyce said in a speech last week. “We must be able to sustain our infrastructures during times of stress.”
State Department cyber coordinator Christopher Painter, who served in the same position under former President Barack Obama, said in a speech last week that the new administration is “ramping up” its efforts to enforce global “norms” of behavior, while saying the U.S. will not enter an international treaty that limits this country’s flexibility and freedom of action.
At a confirmation hearing for CIA general counsel nominee Courtney Simmons Elwood last week, Senate Intelligence Committee member James Lankford, R-Okla., cited some of the urgency and frustration around the deterrence issue.
“They’re really difficult issues, and they’re issues that we’re struggling with on this committee. They’re issues that this committee and other committees have complained about bitterly to the administration and say there seems to be no cyber doctrine and we’re well behind the curve on dealing with a clear cyber doctrine issue,” Lankford said. “This is going to be an area, we’re going to have to write new statute but it’s also an area [where] you’re going to have to interpret a lot of the issues.”
Lankford, who has seized on cyber issues in his work at the Intelligence, Homeland Security and Appropriations committees, asked Elwood to “be a part of helping craft a cyber doctrine,” which the nominee said she would be pleased to do.
“[J]ust know this committee is thinking about cyber doctrine a lot and how we can actually get that established, how we work agency-to-agency, how we work through the whole of United States government on that, and what is needed legislatively to be able to provide clarity on that,” Lankford said.
The cybersecurity deterrence issue sprawls across jurisdictional lines, both on Capitol Hill and within the federal government. It’s an issue for the intelligence community, the Pentagon and DHS, as well as for the various congressional committees that oversee those agencies.
The cyber-strategy legislation Lankford is suggesting could come as a huge relief to industry groups that feel they’ve been left hanging on the front lines to contend with foreign cyber aggressors.
But it won’t come easily, and the actual effort to begin writing legislation remains a distant prospect.