Congress has a growing opportunity to lead on cybersecurity policy after years of playing catch-up with the previous administration, but it remains to be seen which congressional committees will emerge as cyber leaders and whether multiple panels can work together to address cyber priorities.
As the Trump administration focuses on technology upgrades throughout the federal government, lawmakers have focused on the Department of Homeland Security’s cyber role, harmonizing cyber regulations on industry, building a national cyber strategy — a priority for the House and Senate Armed Services committees — and other issues.
The Senate Intelligence Committee held a June 21 hearing on election security, and the House Intelligence panel held a hearing the same day as part of the Russia hacking probe – an issue that is consuming both intelligence panels, which played key roles formulating cyber policy in the past.
But there are also broader, cross-cutting issues that require the attention of committees that have tried to develop expertise on cybersecurity in a holistic manner.
The House Homeland Security Committee under Chairman Michael McCaul, R-Texas, has been eager to play this role. McCaul’s full committee and subcommittees have held 10 cybersecurity-related hearings since the beginning of 2016, including a recent markup of its first-ever, cyber-heavy DHS reauthorization legislation.
The DHS bill, which calls for a new, government-wide cyber risk assessment program and targets specific problems such as “insider threats,” is expected on the House floor this week.
McCaul last week hosted a cybersecurity forum that touched on the full sweep of policy issues, from national defense and deterrence to the security status of the nation’s critical infrastructure.
The Senate Homeland Security and Governmental Affairs Committee has held just three cyber-specific hearings in that time, but Chairman Ron Johnson, R-Wis., appears eager to jump more squarely into this policy space.
Johnson held a hearing last week on cybersecurity regulations and promised to write legislation creating an office, perhaps within DHS, to review and streamline all cyber rules across government. The intent would be to reduce regulatory burdens.
If such legislation does emerge, it could become one of the chief vehicles for addressing cyber policy this year.
The surprise player on cyber this year has been the House Science Committee under Chairman Lamar Smith, R-Texas. That panel has already passed cyber bills on auditing government agencies’ cyber protections and lending a hand to small businesses. It has held a total of eight cyber-related hearings and markups since 2016.
If the metric for committees’ interest in cyber activities is the number of hearings, the leader by far over the past two years has been the House Oversight and Government Reform Committee, which has held 13 hearings on the topic.
Some delved into specific hacks, such as compromises at the Department of Education and the Office of Personnel Management. Others looked broadly at the government’s IT workforce, procurement and general cybersecurity practices across agencies.
Cybersecurity was a top priority of former Chairman Jason Chaffetz, R-Utah, who often clashed with McCaul over cyber jurisdiction.
The Oversight Committee’s new chairman, Rep. Trey Gowdy, R-S.C., has yet to lay out his vision for the panel. He has made a point of assuring other chairmen that he respects jurisdictional boundaries.
Congress has an opportunity this year to firmly put its imprint on cyber policy. That could involve multiple committees tackling the issue in their own areas and in their own ways.
That approach could work, and it could yield innovative, flexible answers tailored for different parts of the economy.
But many cybersecurity strategists have warned against approaching the challenge from a jurisdictional or industry-specific perspective, which they see as the opposite of the necessary holistic, risk-based approach to cybersecurity.
The 115th Congress may come to define itself as a pivotal player on cyber policy, and there are multiple routes to that outcome.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
