Cyber policy may not lurch in a dramatically new direction if Democrats capture the House, Senate or both in November. But the new majority is sure to scrutinize Trump administration efforts and could pursue structural changes such as creating a high-level cybersecurity position within the White House, according to Democratic lawmakers and policy veterans.
“If the Democrats take the House, you’re looking at virtually zero policy work getting done. Every committee will be geared toward investigating Trump and advancing his impeachment,” predicted one congressional Republican aide, reflecting a view that seems prevalent on the GOP side of the aisle. “The Democrats’ base will absolutely rebel if the party takes any other course of action.”
Still, whatever policy levers Democrats choose to pull, the stakes would be enormously high.
“Cybersecurity is one area where it’s absolutely vital that we have a bipartisan approach,” said Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association. “Given the nature of the current threat environment, specifically nation-state attacks, it’s essential that all parts of government work together across agencies and with industry to develop strategies and processes to protect our national and economic security.”
Sources said Democrats would likely focus on creating an empowered cyber czar to replace the cybersecurity coordinator position that President Trump abolished this year, while paying more attention to election security and streamlining congressional oversight of cyber issues. This would be alongside inevitable investigations and aggressive policy oversight of the administration.
“My sense has been that Democrats have been frustrated by the inability to get more election-oriented cybersecurity legislation passed,” said Ari Schwartz, a senior cyber official in the Obama White House, now at the firm Venable. “That would be a major difference.”
But he also observed: “In most other cases, cybersecurity policy on the Hill has been very bipartisan and there would not be a major change in focus.”
One industry source took a gloomier view, pointing to the possibility of increased scrutiny of some initiatives that industry is doing — voluntarily — in collaboration with various federal agencies, including the departments of Homeland Security and Commerce.
“If the Democrats win the House, we should expect increased skepticism about the effectiveness of the public-private partnership construct and flexibility as embodied in the NIST Cybersecurity Framework,” said the source, a veteran of multiple government-industry collaborations.
“While cyber legislation has largely escaped divisive partisanship, a change in party control would have an impact,” the industry source said. “As a general matter, the Democrats tend to believe that stronger government oversight and intervention is needed to hold the private sector accountable while the Republicans tend to put more faith in market drivers.”
Rep. James Langevin, D-R.I., a senior member of both the Homeland Security and Armed Services panels who addressed strictly policy issues, said the focus will be on oversight of existing activities at agencies, not necessarily creation of new regulations.
“We haven’t moved the ball enough on [cyber] oversight,” he said. “It needs to happen faster and more comprehensively.”
Langevin, co-founder of the bipartisan Congressional Cybersecurity Caucus, would probably lead the Armed Services emerging threats subcommittee if the Democrats get the net 23-seat pickup they need on Election Day to secure a House majority.
Looking at the House’s current committee structure, Langevin said, “oversight of cybersecurity is too stove-piped. The jurisdictional issue is a problem and we need to streamline.”
The problem, Langevin said, is “jurisdiction, jurisdiction, jurisdiction. It’s a major roadblock to legislation and oversight.”
With 80-plus committees and subcommittees exercising authority over cyber issues, “we need more agility in oversight,” Langevin said. “That takes strong leadership at the speaker and minority leader level. I hope we’re in the majority and can streamline oversight. That will be one of my top priorities.”
Lawmakers from both parties have discussed the need to consolidate cyber oversight on the Hill, and it was a prime objective of the late Sen. John McCain, R-Ariz. But those efforts inevitability led to stalemate amid the refusal of chairmen to cede their authority over the issue.
On another issue, Langevin said that as a leader he would push for a “Senate-confirmed cyber director role with budget authority, at the White House.
“There needs to be one person who is responsible and accountable for what the policy is and what the metrics are for success.”
Such a position would have significantly more authority than the White House cyber coordinator role that Trump eliminated this year. The job was a creation of the Obama administration that lacked statutory authority.
Langevin likened the position he envisions — and has detailed in legislation introduced in the past two Congresses — to the director of national intelligence or the director of national drug control policy.
Kiersten Todt, who ran President Barack Obama’s national cybersecurity commission in 2016, agreed. “Regardless of who is in power, the federal government should have a National Cybersecurity Strategy that is developed and executed by the White House. There should be a senior official within the White House that reports directly to the president of the United States on cybersecurity.
“This individual would be responsible for the execution and implementation of the strategy,” she added, “as well as be the person at the highest level in government responsible for the cybersecurity of the federal government.”
In line with Ari Schwartz’s comment, Langevin also expressed concerns that not enough has been done to secure state elections systems amid hostile action from Russia.
“We’re going into the elections with just a Band-Aid,” he said. “Time is short now but I’m concerned about DHS having enough resources to deal with states and localities, and to protect other critical infrastructure.”
And he called for action on data security and breach notice legislation, such as the bill he has introduced that would require notification to consumers within 30 days of detecting a breach and give the Federal Trade Commission statutory authority for “coordinating responses” to cyber attacks.
“There hasn’t been enough done to prevent future Equifaxes from happening or to notify consumers” of breaches, he said.
A Democratic majority in the House would probably put Rep. Bennie Thompson, D-Miss., atop the Homeland Security Committee, where he has worked closely on cyber issues with current Chairman Michael McCaul, R-Texas.
Rep. Elijah Cummings, D-Md., would likely take over the Oversight and Government Reform panel, which asserts broad jurisdiction over cyber policy throughout the executive branch. Cummings and Chairman Trey Gowdy, R-S.C., have sparred repeatedly on the panel’s oversight of Trump administration activities.
House Armed Services would likely go to Rep. Adam Smith, D-Wash., a tech- and cyber-savvy lawmaker. Among other panels with extensive cyber portfolios, the House Energy and Commerce gavel would likely go to Rep. Frank Pallone, D-N.J., a prominent advocate of strong consumer data security and breach notice legislation.
Rep. Adam Schiff, D-Calif., would take over the Intelligence Committee. He has conflicted sharply with Chairman Devin Nunes, R-Calif., over the panel’s Russia investigation, though the two have worked well together on cyber issues.
