<img height="1" width="1" style="display:none" src="http://b.scorecardresearch.com/p?c1=2&amp;c2=15743189&amp;cv=2.0&amp;cj=1&amp;&amp;c5=&amp;c15=">

Congress returns, but the real cybersecurity action is taking place off the Hill

042417 magcyberpic-web
Some in the business community expect to see the new administration pay more attention to providing industry with incentives to make costly investments in cybersecurity.

Lawmakers return to Capitol Hill this week with a few cybersecurity items on the agenda for the upcoming legislative work period, while the most significant efforts in the coming months may be taking place at the White House and at the National Institute of Standards and Technology's campus in suburban Maryland.

"On the congressional front, we expect a lot of activity and discussion, but it's not clear that will result in any legislation in the short term," said Robert Mayer, vice president for industry and state affairs at the United States Telecom Association.

Mayer has been an instrumental player in industry-government collaboration on cybersecurity, through various Department of Homeland Security programs, for instance, and as a key contributor to the development of NIST's framework of cybersecurity standards.

"Major legislation around a DHS reorganization or a new role for NIST in overseeing federal agency cybersecurity doesn't appear to be on the fast track," Mayer said.

On the other hand, he said, "All eyes are on administration policy guidance that will be part of the long-anticipated Cybersecurity Executive Order and a major effort by NIST to update the Cybersecurity Framework released in 2014. These initiatives will dominate much of the policy debate for the remainder of 2017."

The executive order is expected to further define agency roles on cyber and formally spell out the Trump administration's policies. Many cyber policy veterans say they don't anticipate major departures from the Obama approach, which relied heavily on government-private sector partnerships.

Some in the business community expect — and hope — to see the new administration pay more attention to providing industry with incentives to make costly investments in cybersecurity, which White House officials have hinted could be in the executive order. Much of the business community would love it if the order also took steps to discourage agencies from regulating around cybersecurity.

It's still too early to say what will be in the order — even Homeland Security Secretary John Kelly said last week he was "standing by with bated breath" to see the final version.

So is the cyber policy community as a whole.

"Substantive cyber action in the near-term will be coming from the Executive Order — what it emphasizes, the responsibilities it outlines for government, how it organizes government, and the role of industry — both in policy development and in industry's response to the E.O.," said Kiersten Todt, executive director of Obama's special commission on cybersecurity who continues to advise government and private-sector officials on cyber issues.

On Capitol Hill, small bills on issues like cyber education in the schools and strengthening the cybersecurity workforce are bubbling up through the process.

Other legislation with more sweeping policy repercussions has been offered this year, but the fate of those efforts remains unclear.

A bill to consolidate functions at the Department of Homeland Security into a new cybersecurity agency could move within the House Homeland Security Committee over the next month or so, according to committee sources.

But it might not go any further amid ongoing jurisdictional problems with the seven other committees that oversee DHS.

Overhauling and renaming DHS' National Protection and Programs Directorate into a Cybersecurity and Infrastructure Protection Agency is a high priority for House Homeland Security Chairman Michael McCaul, R-Texas, as it was for former President Barack Obama's DHS leadership, although those two sides were never able to agree on the details.

Retired Marine Corps Gen. Kelly, the new DHS chief, in his first major policy speech last week said "streamlining" DHS cybersecurity functions is a top priority, but he didn't specifically mention the McCaul legislation.

"Right now we're in the process of working with the Trump Administration in a bipartisan manner on the NPPD re-org bill," a House Homeland Security Committee spokeswoman told InsideCybersecurity.com. "We expect to introduce a standalone bill soon and will announce a Committee markup in the near future. We look forward to continuing the progress we made last Congress by working with other Committees as the process continues."

A separate measure, giving NIST a new role auditing other federal agencies' cyber efforts, has passed the House Science Committee but doesn't have a clear path to the floor amid opposition from many in industry and the leaders of other House committees.

House Oversight and Government Reform Chairman Jason Chaffetz, R-Utah, who quickly emerged as the most vociferous opponent of the Science Committee's NIST bill, announced last week he would retire at the end of this session of Congress.

But much as with Rep. Darrell Issa, R-Calif., his predecessor as Oversight chair, expect Chaffetz to fiercely defend his panel's cyber jurisdiction for as long as he holds the gavel.

Which brings us back to NIST, a tiny agency in the federal bureaucracy that punches well above its weight when it comes to cybersecurity policy.

NIST is in the midst of updating its landmark framework of cyber standards, which as USTelecom's Mayer and other industry sources point out will play an enormous role in shaping government-industry efforts to protect cyberspace.

The framework pulls together various government and private-sector cyber standards and aims to create a way for companies to think about how best to organize their cybersecurity efforts.

The agency hosts a May 16-17 workshop at its Gaithersburg campus that will bring in many of the cyber policy heavy-hitters from the private sector who helped shape the framework back in 2013-2014.

Industry groups recently weighed in on the proposed update, focusing in particular on how the effectiveness of the framework may be measured just over three years after its release.

NIST is also looking at issues such as how companies can ensure the cybersecurity of their supply chains and how to "harmonize" and streamline regulations around cyber. Better international coordination is also a hot topic for NIST as it works on the framework update.

But the real hot-button issue is "metrics" — how do you prove that the framework is actually improving security?

The Internet Security Alliance in comments to NIST called for developing metrics that will help companies decide how to spend their cybersecurity budget most effectively.

Other groups, such as the U.S. Chamber of Commerce, are urging NIST to tread carefully on metrics amid worries about establishing a "check list" approach to cybersecurity rather than the flexible "risk management" approach embodied in the framework of standards.

The U.S. Chamber would also like to see some attention paid to measuring the effectiveness of the government's efforts to deter the foreign cyber aggressors that often attack the private sector's networks with impunity.

The Chamber and Internet Security Alliance, like USTelecom, were at the table throughout development of the NIST framework and actively engage in government-industry cyber efforts through numerous venues.

NIST officials expect to come out of the May workshop with a good understanding of industry's varied views on metrics and other key topics and produce the widely anticipated update to their framework this fall.

As of now, the results of that process, led by an obscure agency out in the suburbs, might have more to say about where the nation's cybersecurity effort is heading than anything that will come out of Congress or the White House this year.

Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.