The 116th Congress came out of the gate quickly on cybersecurity issues, passing two cyber-related bills in the last month. One creates a “bug bounty” program at the State Department to encourage researchers to find and report vulnerabilities on the department’s computer networks. The other increases the authority of the federal chief information security officer to order cybersecurity improvements across all civilian government networks.
Both bills cleared the House but not the Senate in the last Congress.
For the rest of the session, members are aiming higher than “bug bounties” when it comes to cybersecurity issues.
“There are a lot of pressing issues in cyber,” said Kiersten Todt, the former executive director of President Barack Obama’s cybersecurity commission. “What I hope is a Democratic House and Republican Senate can demonstrate that cybersecurity is not a partisan issue, it’s a national security and economic security issue.”
Bipartisan dialogue and collaboration, rather than partisan splits and heavy-handed regulation, have underscored the cyber discussions so far. For instance, there is a tacit understanding that digital privacy legislation will require plenty of dialogue before legislation is passed.
Senate Majority Whip John Thune, R-S.D., expressed optimism that a landmark compromise on privacy was possible.
“I think there will be some Republicans and Democrats that are going to put proposals and ideas out there, and at some point those will fuse together,” he said in January. “I hope it will be a bipartisan compromise that puts in place a national privacy standard that everybody can live with.”
Abigail Slater, a special assistant to the president for cyber policy, suggested at an industry event in January codifying in law the Federal Trade Commission’s role on privacy and strengthening its hand to protect consumers in the digital space. This approach has been embraced, at least in general terms, by Thune and lawmakers of both parties.
One way to enhance FTC authority would be allowing it to issue civil penalties the first time a company violates privacy standards, as opposed to merely “citing” firms for poor behavior. “I think there’s violent agreement around that,” Slater said.
“This will feed back to create stronger incentives for companies to be more compliant, to be more focused on privacy by design,” she added.
“We need a uniform, national, pre-emptive regime that allows beneficial innovation, use of data, and security measures,” said attorney Megan Brown of the firm Wiley Rein. “I am pleased by a lot of what I am hearing on privacy, insofar as there is a consensus about the need for federal action being far preferable to multiple state efforts to regulate.”
“I hope that we can keep policymakers focused on improving partnerships instead of moving to a regulatory approach, which will undermine voluntary collaboration,” she added. “The Department of Homeland Security has been making good progress on partnerships and getting the word out on collective defense. I think more effort should be put into that sort of work, instead of backward-looking regulation that addresses yesterday’s problems and threatens ruinous liability.”
The Cyber Diplomacy Act, reintroduced in the House in January, would create a cybersecurity office with a corresponding senior position at the State Department. That role was terminated earlier in President Trump’s term.
“I was pleased to see the Cyber Diplomacy Act reintroduced, with some changes that I think are good,” said Christopher Painter, the former cyber coordinator at the State Department. “Overall, I think it and other bills show an evolving understanding and increased priority of cyber issues on the Hill.”
The first cybersecurity bill offered by the new Democratic majority in the House was an election security measure that would include $1.75 billion in grants for states to use in upgrading the cybersecurity of their voting systems.
Another bill, sponsored by Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., would establish a White House office to combat intellectual property theft and secure supply chains for critical technologies, specifically targeting Chinese activities. A House version of the bill was later introduced by Reps. Jim Himes, D-Conn., Mike Conaway, R-Texas, and Will Hurd, R-Texas.
The new chairman of the House Homeland Security Committee, Rep. Bennie Thompson, D-Miss., has previewed an ambitious cyber agenda. “We’ll look at the Chinese intrusions that have come to our attention,” he said. That includes concerns around products from Chinese telecommunications companies Huawei and ZTE, which the government is in the process of rooting out of federal systems.
Thompson said his panel will examine “some of the other challenges with some of the [Chinese] companies that we’ve been told have not been good players in the market, and see whether or not the administration is saying we ought to continue to do business with them when we’ve been given information that causes us concern about their activity in the marketplace and whether or not they’ve been honest brokers.”
Rep. Patrick McHenry, R-N.C., the new top Republican on House Financial Services, has called for a hearing on that sector’s cybersecurity issues. The new committee chairwoman, Rep. Maxine Waters, D-Calif., has long championed an aggressive effort on consumer data security and breach notification.
