Congressional committees continue to lock horns over who has jurisdiction over cybersecurity, a recurring problem and frustration for lawmakers trying to deal in this policy space.
Congress is in the middle of a two-week recess, but during the last legislative session, the House Science Committee passed a bill directing the National Institute of Standards and Technology to audit other agencies' cyber practices.
The bill was opposed by all but one Science panel Democrat, but its real problem is the intense opposition it has drawn from the House Oversight and Government Reform and other committees, according to congressional and industry sources.
Oversight Committee Chairman Jason Chaffetz, R-Utah, sent a scathing letter to House Speaker Paul Ryan, R-Wis., in March detailing how the science panel's bill steps on the OGR panel's jurisdiction over government computer security and the Office of Management and Budget's established role in overseeing federal agencies' cyber efforts.
"The Oversight Committee has sole jurisdiction over the formulation and oversight of government-wide information security policy, including cybersecurity," Chaffetz wrote.
Industry groups also weighed in, saying the proposal would drastically revamp NIST's role and perhaps undermine its status as a trusted partner, and threatening to roll out their lobbying guns to fight the bill if it advances.
Science Committee staffers defended their bill in a recent appearance before a NIST advisory panel.
"Despite ongoing efforts at [the Department of Homeland Security], there are still problems" with securing the government's systems, said Cliff Shannon, House Science Committee staff director. "If DHS were doing credible audits, we would not be having this conversation."
Sources say the House GOP leadership has signaled it has no interest in taking up the proposal, especially since it divides committee chairmen.
Another pending House measure is encountering obstacles related to jurisdiction that appear unresolved from the last session of Congress.
House Homeland Security Committee Chairman Michael McCaul, R-Texas, has said he will soon introduce a bill to consolidate cybersecurity functions at the DHS in a new cyber agency. He tried to move a similar measure last year — all the way through the lame-duck session — but couldn't escape the jurisdictional obstacle course.
Since then, a memorandum of understanding signed in January by the leaders of eight House committees with jurisdiction over the department was intended to clear the way for a first-time reauthorization of DHS this year. DHS, created in 2002, has never gone through a reauthorization intended to assess its mission and organization. The Department of Defense, by contrast, goes through the exercise every year.
But McCaul also believes the MOU should allow his separate bill reorganizing the department's National Protection and Programs Directorate into a cybersecurity agency to advance. Such a reorganization would help cement DHS's role as the lead civilian agency on cybersecurity, a long-held McCaul objective.
However, some sources say McCaul's cyber-agency bill actually runs afoul of the MOU, because two other committees also claim jurisdiction over the Department of Homeland Security's NPPD.
A Homeland Security Committee aide in an email response downplayed such concerns and said progress is being made on both the DHS reauthorization and McCaul's cyber restructuring bill.
"Working closely with leadership, Chairman McCaul signed an MOU with all the other committee chairmen with jurisdiction to ensure the House comprehensively reforms and improves DHS for the first time since its creation after 9/11," the committee aide told Inside Cybersecurity.
"Committees have been working on DHS elements within their jurisdiction and in a collaborative manner on elements with shared jurisdiction," the aide said. "These efforts are being done in coordination with DHS."
The aide concluded: "Right now we're in the process of working with the Trump administration in a bipartisan manner on the NPPD re-org bill. We expect to introduce a standalone bill soon and will announce a committee markup in the near future. We look forward to continuing the progress we made last Congress by working with other committees as the process continues."
One source with long Capitol Hill experience suggested that McCaul should set aside his cyber-agency bill and instead focus on reauthorizing DHS.
Under the reauthorization process agreed to in the MOU, which was brokered by Speaker Ryan, each of the eight panels would be responsible for writing pieces related to their areas of jurisdiction, and McCaul's committee would pull it together.
The Capitol Hill veteran, speaking on background, suggested that McCaul's NPPD reorganization could be folded into this process, which would also help ensure the Homeland Security Committee's place atop the jurisdictional pyramid.
"Put a working group together of the different committees and do the big reauthorization," the source said. "That would be an olive branch to the other committees instead of a middle finger."
This is McCaul's final term as homeland panel chairman and the elusive goal of reauthorizing DHS — with the NPPD reorganization included in that package — could be the crowning achievement of his tenure.
The source predicted, "The Homeland Security Committee will win the jurisdictional question if they pursue reauthorization and are the one that pulls the committees together."
Jurisdictional disputes have hamstrung cyber policymaking since the issue first gained visibility in Congress almost a decade ago.
Sometimes the competition among committees has derailed proposals that really weren't ready for prime-time. And sometimes those tensions have prevented Congress from getting its work done on urgent cyber priorities.
How these dynamics play out this year remains to be seen.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.