Long-stalled legislation to create a federal data-breach notification standard and final action on a bill upgrading Department of Homeland Security cyber functions top the list of possible congressional moves on cybersecurity issues in 2018, a year brimming with cyber policy possibilities but short on legislative days.
Congress faces a compressed election-year calendar, although data-breach legislation seems likely to get attention starting this winter.
Rep. Blaine Luetkemeyer, R-Mo., who chairs a House Financial Services subcommittee, said he’s still working on the details but hopes to roll out a breach-notification bill sometime in the first quarter.
Luetkemeyer said he’s already in discussions with Energy and Commerce Committee leaders about ways to move forward jointly, after rival approaches left the two panels at odds in years past.
“That’s the only way this will become law,” Energy and Commerce Chairman Greg Walden, R-Ore., said in an interview.
“Data breach and consumer protection issues will remain at the top of the agenda looking to next year,” said Rep. Bob Latta, R-Ohio, who chairs the Energy and Commerce subcommittee with jurisdiction. “The committee is working with a wide range of stakeholders to ensure a path forward that will incentivize security and help prevent breaches.”
Legislative efforts on consumer data breaches have yet to take shape in the Senate, although both Commerce Chairman John Thune, R-S.D., and Judiciary Chairman Chuck Grassley, R-Iowa, have called for legislation and have jurisdiction. Senate Democrats have introduced a tough breach-notification bill that could serve as a marker for their demands if the Senate tries to act.
Sources say a bipartisan Senate working group on the issue has written policy options but is hanging back to see what the House produces before unveiling legislation.
A new DHS cyber agency
Congress might be able to find new money and assistance for states in securing their election systems as one response to Russian hacking aimed at influencing the 2016 elections, but big policy outcomes related to that controversial topic appear unlikely.
On the other hand, clarifying and streamlining the federal government’s overall approach to cybersecurity could be helpful in this and many other areas. To that end, House Homeland Security Chairman Michael McCaul, R-Texas, has consistently promoted his Cybersecurity and Infrastructure Protection Agency Act as an important organizational tool.
His bill unanimously passed the House in December but couldn’t make it onto the Senate’s year-end agenda, as Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., said he wanted to make some “modifications.”
The bill would put DHS cyber functions into a new Cybersecurity and Infrastructure Protection Agency, with clear authority and a defined role that McCaul says will help both industry and various federal agencies engage on cyber.
Johnson is expected to take a closer look at how the bill would affect the private sector, as well as ensuring that other departments can still exercise their authority over cyber issues, but he predicted late last year that the measure ultimately could clear the Senate by unanimous consent.
Financial (cyber) security
Legislation to enhance cybersecurity at the Securities and Exchange Commission saw action in the House last fall and could get a look in the Senate this year.
In November, the House passed H.R. 3973, the Market Data Protection Act, in response to a data breach at the SEC. The bill would require the SEC to develop internal risk control mechanisms to secure market data information.
The bill by Rep. Warren Davidson, R-Ohio, was referred to the Senate Banking Committee after it cleared the House. It doesn’t yet have a Senate sponsor.
A bill addressing cybersecurity of credit rating agencies such as Equifax — the target of a massive breach uncovered this year — was introduced by Rep. Patrick McHenry, R-N.C., and referred to Financial Services, and could move this year.
A growing role for NIST
House Science Chairman Lamar Smith, R-Texas, is still trying to find floor time for his bill setting up a process for auditing federal agencies’ use of the National Institute of Standards and Technology’s framework of cybersecurity standards.
The bill cleared the Science Committee in March and was revised in October to address concerns from some in industry and other congressional committees.
“Chairman Smith hopes to bring the bill to the floor soon,” Science Committee spokesman Brandon VerVelde said. “We believe that the revised bill addresses the concerns that were raised. The bill definitely complements the president’s executive order to strengthen federal cybersecurity.”
An industry source said concerns remain that putting NIST in any kind of auditing role could erode its function as a trusted partner with industry on cyber issues and make it more of a “bad cop. … We’re still trying to get the language changed.”
Lawmakers have repeatedly turned to NIST — considered an honest broker with bipartisan and industry support — in recent years on cyber issues. But congressional Democrats have also objected to giving the agency an auditing function.
One of the most consequential cyber measures facing Congress would address the security of self-driving cars.
Senators continue to discuss a broad bill requiring automakers to establish cybersecurity plans for autonomous vehicles, developed by Thune and Sen. Gary Peters, D-Mich., with no set date for Senate floor consideration.
The Senate Commerce Committee passed the bill by unanimous voice vote in October, shortly after the House passed its own version of the bill.
The Internet of Things
Legislation on setting minimum security requirements for Internet of Things devices purchased by the federal government could be on the docket in 2018. The Internet of Things refers to all manner of interconnected devices, ranging from smartphones to self-driving cars.
House Oversight IT subcommittee Chairman Will Hurd, R-Texas, and ranking member Robin Kelly, D-Ill., have been working on companion legislation to the Internet of Things Cybersecurity Improvement Act by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo.
The Senate version of the bill still awaits consideration by the Homeland Security and Governmental Affairs Committee.