National Cybersecurity Awareness Month is likely to end quietly on Capitol Hill without action on any major cybersecurity legislation, and that may not be a bad thing as work continues on nuts-and-bolts pieces of cyber policy.
“My sense is that the Hill isn’t too hung up on producing something for cyber month, which really needs to be disposed of — every month needs to be cyber month,” said Kiersten Todt, who was executive director of the Commission on Enhancing National Cybersecurity that produced recommendations for the Trump administration late last year.
A number of bills are in the chute on issues such as self-driving cars. Those measures won’t see final action in the coming days, but there is some optimism that the cybersecurity of autonomous vehicles and measures to bolster the cyber workforce and assist small business can advance before the year is over.
From a long-range policy perspective, perhaps the most significant legislative work has been on a bill by House Homeland Security Chairman Michael McCaul, R-Texas, to firmly establish the Department of Homeland Security’s role on cyber in the federal hierarchy. That bill, eventually, could be the vehicle to carry some of the smaller measures across the finish line.
McCaul has targeted October for House floor action on his bill to consolidate DHS’ cybersecurity functions into a standalone agency, with the clout to drive cyber policy efforts across government and clearly be the key interlocutor for industry on cybersecurity matters.
The wrinkle, of course, was that at least three other House committees share significant oversight of DHS, and weren’t keen on the idea of McCaul’s panel assuming the lion’s share of jurisdiction over the department’s cyber activities.
That issue isn’t particularly relevant in the Senate, where the Homeland Security and Governmental Affairs Committee has broader jurisdiction than its House counterpart. But Sen. Ron Johnson, R-Wis., the panel’s chairman, says he won’t get to this issue probably until next year.
This month, a House Homeland Security Committee staffer said “we continue to push forward, we’re still working toward the October goal” of passing the DHS reform bill.
All of the other committees “have been responsive to us,” the source said. “This bill ensures the cybersecurity mission that Congress has put in place over the years for DHS is accomplished.”
But as House members were wrapping up their mid-October recess late last week, the source acknowledged that the October goal might be missed.
“Talks are continuing among the committees,” the source said, while emphasizing progress is being made and that October isn’t a real deadline for action.
The other House committees — Oversight and Government Reform, Transportation and Infrastructure, and Energy and Commerce — have been keeping a discreet silence on the progress of the talks. Yet, outside sources mostly agreed that things were moving.
“I have been hearing about constructive talks on NPPD for a while but I don’t see them going anywhere [quickly],” Todt said. “I also wonder if they will wait on any action until Kirstjen Nielsen’s confirmation” as DHS secretary. NPPD is National Protection and Programs Directorate, which would be reformed into the cyber agency.
James Lewis of the Center for Strategic and International Studies agreed, saying, “I think the bill is getting traction, but it’s not top of the to-do list.”
On the other hand, he said, “You could make useful changes … but a lot depends on the new secretary-designee. I think things have been on hold, [but] I expect they’ll free up when she gets in.” Timing for Senate action on the Nielsen nomination has yet to be set.
Under Lewis’ leadership, CSIS also built a package of recommendations for the new president and, in the absence of legislation, he said DHS could write and release a mission statement on cybersecurity that would help clear up roles and responsibilities.
“A clear mission statement for cybersecurity would be the easiest,” he said.
In years past, October has been a productive month for action on cyber bills, but all is not lost if that’s not the case this year. Cyber issues also have a way of finding themselves into the big, unrelated packages that Congress always deals with in December.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
