There are plenty of open cybersecurity policy questions — on Capitol Hill and in the executive branch — as Congress takes a two-week recess.
While lawmakers are away, cyber policy watchers will be looking for a long-awaited executive order from President Trump on cybersecurity. The order is expected to spell out agencies’ roles in securing federal networks as well as pay special attention to “botnets” — the infection of interconnected devices with malware that is then used to launch attacks against targets such as financial networks, communications systems and internet service providers.
It’s also expected to include language — worrisome to industry — referencing a provision in a 2013 Obama executive order that applied special attention to certain critical infrastructure where a cyberattack could have a devastating impact on the United States.
Industry groups never liked that language to begin with, seeing it as a possible precursor to regulation, and now they argue that it doesn’t reflect the evolving threats in cyberspace.
But sources say the Department of Homeland Security is keen on keeping this so-called “section 9” language in the new Trump order, and the industry appears resigned to its likely inclusion.
How the order addresses various agencies roles will also be of intense interest among industry groups, lawmakers and federal officials at DHS, the Pentagon, the Office of Management and Budget and elsewhere.
After early signs that the Defense Department might gain new authority over civilian networks, sources say the final version of the order will preserve DHS’s primary role in protecting the civilian government and helping to secure private industry’s networks.
Also on the executive branch side, April 10 was the deadline for comments on a proposed update to the National Institute of Standards and Technology’s framework of cybersecurity standards, the premier instrument for interaction between government and the private sector on cyber in recent years.
There is intense interest in finding ways to demonstrate the effectiveness of the framework, and NIST is expected to use the incoming comments to finalize a “framework version 1.1” in the coming months.
If the framework can remain positioned as an effective — and voluntary — tool, that will go far in heading off pressure for new cyber regulation.
But that pressure exists, even with a Republican in the White House and GOP control of Congress.
There is an intense desire among lawmakers to demonstrate that they are “doing something” to address public concern about cybersecurity.
Two weeks ago, the Senate Energy and Natural Resources Committee held a hearing to assess the security of the electricity grid, with Chairwoman Lisa Murkowski, R-Ala., suggesting policymakers must still find the right mix between voluntary approaches to cybersecurity, like those in the NIST framework, and mandatory requirements.
Murkowski’s legislative plans may come into focus when Congress returns later this month.
The NIST framework was also the focus of a bill the House Science Committee passed in the recent congressional work period — that measure would require federal agencies to use the framework and for NIST to audit their efforts.
The bill faces hostility from some of the business community, which fears it sets a bad precedent by employing the framework in a mandatory manner.
It’s also viewed dimly by members of the House Homeland Security Committee, who believe the Science panel is treading on their turf when it comes to setting requirements for protecting federal networks.
Beyond specific legislation, another question hovers over cyber policy on Capitol Hill: Will the ongoing, unpredictable investigation into Russian hacking and the 2016 elections, and related issues, permanently damage relationships that have helped keep cyber as a largely bipartisan policy area?
Heading into the recess, House Intelligence Chairman Devin Nunes, R-Calif., temporarily recused himself from the Russia probe amid an Ethics Committee investigation into his release of certain information.
Nunes’ relationship with the Intelligence panel’s top Democrat, Rep. Adam Schiff of California, has seemed at risk for weeks as the two have sparred over the Russia investigation.
That’s potentially bad news for cyber policy, because the ability of those two lawmakers to reach an accord on privacy and other issues paved the way for passage of landmark cybersecurity information sharing legislation in 2015.
The Russia probe is also straining relations at the House Homeland Security Committee, which has a long history of bipartisan collaboration on cybersecurity.
Ranking member Bennie Thompson, D-Miss., last week sought to move a resolution calling on DHS to turn over documents related to Russian hacking, which the committee ultimately blocked on a rare party-line vote.
Homeland Security Chairman Michael McCaul, R-Texas, accused Thompson of employing a “nuclear option” that was unnecessary given DHS’s cooperation on the issue.
But it clearly demonstrated that raw partisan tensions related to the Russia investigation are seeping into broader areas of cyber policy.
Congress is now into what could be a two-week cooling off period. That could help adjust attitudes, but a raft of cyber policy questions will be awaiting when lawmakers return. And two weeks off won’t make the issues any easier to resolve.
Charlie Mitchell is editor and co-founder of InsideCybersecurity.com, a premium news service from Inside Washington Publishers. He is also the author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
