Congress in recent days has attacked cybersecurity challenges on multiple fronts — a response that fits the broad, diverse nature of cyber issues, but also highlights the difficulty policymakers have in advancing actual solutions.
Multiple congressional panels held hearings last week on topics including the Equifax hack affecting 143 million Americans, the Department of Homeland Security's cyber mission, and securing the emerging "Internet of Things" — that web of interconnected consumer and industrial devices that makes everything from televisions to traffic lights a potential cyber attack surface.
The Senate Commerce Committee advanced landmark legislation addressing the cybersecurity of self-driving cars, one of the most prominent and critical areas of discussion when it comes to IoT security.
Commerce Chairman John Thune, R-S.D., and Sen. Gary Peters', D-Mich., bipartisan bill aligns with automakers' collaboration with the Department of Transportation on cyber standards and is similar to legislation already passed by the House. Congress appears likely to actually send a measure to President Trump for his signature before the end of the year.
But that's probably not the case for legislation that would create a cybersecurity agency at the Department of Homeland Security and clarify DHS's leadership role on securing federal agencies' computer networks and assisting the private sector.
"It's completely on the radar, it's incredibly important," Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., said. But the department is focused on multiple hurricane recovery efforts, he said, adding, "Before I move anything [on cyber], I want complete buy-in."
Asked about timing, Johnson said, "This year with all the things going on, it's a stretch. But I certainly hope this Congress."
DHS officials last week publicly urged Congress to act quickly on the legislation, a top priority for House Homeland Security Chairman Michael McCaul, R-Texas, whose panel passed a DHS reorganization bill in July. Staffers for Johnson and McCaul have been working on the issue behind the scenes, but now it appears that a final bill will have to wait until 2018.
Another cyber topic — consumer data security — was top-of-mind for lawmakers in both the House and Senate last week as former Equifax CEO Richard Smith marched between committees to testify on the massive breach at his company.
The six-week gap between Equifax learning of the breach and notifying consumers that their sensitive data had been compromised provoked bipartisan outrage on the Hill.
"It's long past time for a bipartisan national breach notification bill," Senate Judiciary Chairman Chuck Grassley, R-Iowa, said at a Judiciary subcommittee hearing with Smith.
Grassley said he was working on a bill with Judiciary ranking member Dianne Feinstein, D-Calif., but sources suggested these talks are at a preliminary stage.
Sen. Patrick Leahy, D-Vt., the former top Democrat on Judiciary, said he is preparing to reintroduce a comprehensive consumer data security bill, while Sens. Roy Blunt, R-Mo., and Tom Carper, D-Del., could also reintroduce their bill on the issue, which was referred to the Banking panel in the last Congress but has yet to be reintroduced.
A Senate source said discussions are taking place on possibly bringing the various proposals together into one piece of data-breach legislation, "but we're not there yet."
This flurry of Senate interest in data-breach legislation is not matched in the House.
Even if senators do rally around a bill — still a long shot, considering the jurisdictional issues at play and ongoing disputes between the banking and retail sectors over the proper approach — they may not have a partner on the House side.
The House Energy and Commerce and Financial Services committees have shown no interest in advancing a bill.
Rep. Bob Latta, R-Ohio, who chaired the Energy and Commerce consumer protection subcommittee Equifax hearing on Oct. 3, said "human error" was largely behind the hack.
Energy and Commerce Chairman Greg Walden, R-Ore., reiterated that he doesn't see a legislative response, saying, "I don't think we can pass a law to ... fix stupid."
With the hearings — and actual movement of some cyber legislation — it was an impressive first week for National Cybersecurity Awareness Month.
But lawmakers still need to follow through — and show they can respond to the cyber threat in a coherent and effective way.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.