The month-long legislative stretch that wraps up this week promised to be pivotal for cybersecurity legislation, and while Congress didn’t pass any big bills, this work period clarified where key cyber issues stand on Capitol Hill.
A Department of Homeland Security reauthorization bill rich with cyber provisions passed a Senate committee and moved one step closer to final passage in the coming months.
Among other elements, the bill would consolidate DHS cyber functions in a single agency and follows House passage of similar legislation last summer. It also culminates years of work, in both chambers, to overcome conflicting jurisdictional claims among congressional committees that long thwarted similar DHS legislation.
“I’m not anticipating problems,” Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., said when asked about possible challenges on the Senate floor. “We’re going to have to combine the different elements and get some floor time, but hopefully, we’ll be able to get that. … [Floor timing is] above my pay grade, but I’ll be pushing for it, though.”
Election security amendments were offered and then withdrawn during the March 7 markup of the DHS bill, but Sen. James Lankford, R-Okla., said he expects to have an opportunity to move his bipartisan proposal on elections as standalone legislation. Sens. Lindsey Graham, R-S.C., Kamala Harris, D-Calif., and Amy Klobuchar, D-Minn., are also on that bill.
“I don’t know why this is controversial,” Lankford said of the proposal to provide states with more money to secure elections systems.
But now, he said, further action will await the recommendations of the Senate Intelligence Committee coming out of its Russia investigation. The intelligence panel “will have a public hearing and then, we’ll have standalone legislation when everything’s done” with the investigation, Lankford said.
That, he suggested, would still be in time to help secure the elections in November.
House Homeland Security Chairman Michael McCaul, R-Texas, also pledged to hold a hearing soon on election security.
Driverless cars, electrical grids
On another long-pending issue, Senate Commerce Chairman John Thune, R-S.D., promised passage this year of a bill addressing the cybersecurity of self-driving cars. He’s been angling for floor time for a bipartisan committee-passed bill, while similar legislation has already cleared the House.
“Unfortunately, it’s probably not happening in this current [work period], but I’m hoping that we’ll get a shot at voting on that,” Thune told InsideCybersecurity.com. “For sure in this Congress, whether it happens in the next two weeks remains to be seen.”
Lawmakers also took steps on narrowly targeted cyber bills aimed at bolstering the security of the electric grid and providing resources for small businesses to shore up their defenses, which are noncontroversial but address important issues. The House Energy and Commerce Committee is preparing to move grid security legislation, while the House Small Business Committee on March 14 passed a bill to help smaller enterprises.
Bills that didn’t make it
The work period has also seen several swings and misses.
The banking regulatory reform bill that moved through the Senate last week didn’t end up addressing issues such as consumer data security or rules for credit rating agencies like Equifax, despite bipartisan efforts to add cyber-related amendments.
Sen. Roy Blunt, R-Mo., pushed for inclusion of his data-breach notification bill but was rebuffed.
But it was always unlikely that senators would short-circuit the committee process on data-breach legislation.
With that in mind, a House Financial Services subcommittee held an eagerly awaited hearing on a draft bill by Rep. Blaine Luetkemeyer, R-Mo., but the panel didn’t hold a markup, as expected. Discussions continue, according to sources, amid differences between the financial and retail sectors in particular.
Senators interested in the issue, including Blunt and Thune, have been seen as holding back until they see what, if anything, the House can produce on the issue.
State issues
Among the surprises this work period, the firing of Secretary of State Rex Tillerson has muddied the waters around efforts on Capitol Hill and in the State Department to organize the nation’s international approach to cybersecurity.
Tillerson had abolished, and then was in the process of recreating, a cyber office at State, while House Foreign Affairs Chairman Ed Royce, R-Calif., has pushed legislation through the House that mandates and defines such an office.
The bill awaits action in the other chamber, but senators were largely awaiting the outcome of talks with Tillerson. They are now waiting to see how his designated replacement, CIA Director Mike Pompeo, views the matter.
“It’s very important to have a conversation with Pompeo on what direction he wants to go,” said Sen. Cory Gardner, R-Colo., who chairs the Foreign Relations cybersecurity subcommittee. “I don’t know if this pauses things, but as we look at this new [cyber] structure, we have to take into account the personalities involved.”
Gardner added that Pompeo “has a keen understanding” of cyber issues, and multiple Senate Democrats echoed the sentiment that the new secretary will be more attuned to cybersecurity.
When Congress leaves for a two-week break this week, lawmakers will have only 13 weeks left to complete their business before the August recess, and before the looming 2018 midterms essentially preclude action on anything other than must-pass bills.
Bills on DHS, election security, and self-driving cars appear to be positioned for action, along with a handful of small-bore measures. Other cyber issues, including addressing consumer data breaches, appear to be sliding into the wait-til-next-year category.
