Congress is in session for about 17 weeks before the August recess, and it will get more and more difficult to pass significant cyber legislation as the election-year calendar quickly slips away.
That makes it critical to begin notching accomplishments in the four-week legislative stretch that begins Tuesday.
The Senate Homeland Security and Governmental Affairs Committee could provide a hot start with plans to move a first-ever reauthorization of the Department of Homeland Security at a markup on Wednesday.
DHS reauthorization is significant to cyber, addressing the department’s cyber workforce, its work on securing various sectors such as the aviation industry, and requiring it to produce a regular cyber “risk assessment” for the federal government.
But sources suggested the reauthorization measure could also carry separate legislation creating a standalone cybersecurity agency at DHS, as well as so-called SAFETY Act language emphasizing that legal liability protections apply to new cybersecurity technologies.
No decision has been announced on adding either provision during this week’s markup.
Legislation consolidating and elevating existing DHS cybersecurity functions in a new agency has passed the House and is a top priority for House Homeland Security Chairman Michael McCaul, R-Texas.
The House has also already passed a McCaul-written DHS reauthorization bill, so if Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., can get those measures through his panel this week, enactment this year would be highly likely.
“Strengthening the cybersecurity mission of DHS remains a top priority in 2018. To that end, the House has passed significant legislation this Congress,” a House Homeland Security Committee aide said. “The bipartisan Cybersecurity and Infrastructure Security Agency Act of 2017 will provide the necessary overarching structure to elevate vital cybersecurity operations and infrastructure related authorities at DHS. The Department of Homeland Security Authorization Act of 2017 includes provisions throughout that create efficiencies, enhance information sharing efforts, and streamline programs.”
The source stressed, “It is imperative the Senate pass these essential pieces of legislation to improve America’s cyber defenses and ensure the future safety and security of Americans.”
On the SAFETY Act, Sen. Steve Daines, R-Mont., recently introduced a bill that would specify in statute that the legal protections provided to companies under that law – a post-9/11 measure intended to encourage private-sector development of anti-terrorist tools – would also apply to cybersecurity technologies and services.
DHS, which administers the SAFETY Act, says it already applies to cyber, but relatively few companies have taken advantage of this tool over the past decade.
“The law already covers this,” said one attorney who closely follows SAFETY Act-related issues. “This is just to make clear to people who worry about the lack of explicit use of ‘cyber’ [in the current law’s language]. This bill eliminates those unfounded concerns.”
It’s unclear if the Daines SAFETY Act language will be added this week. Explicitly extending the law to cybersecurity products has stirred some conservative opposition.
R Street Institute senior fellow Lars Trautman wrote in a recent Washington Examiner op-ed: “With liability protections in hand, there would be little incentive for additional investments and cybersecurity would become a check-the-box exercise.”
Consumer data security
The year’s first steps are in addition to consumer data security and breach-notification legislation. The issue gained momentum following last year’s massive Equifax hack, when the consumer credit rating agency waited six weeks before telling anyone that 143 million or so Americans’ sensitive financial data had been illegally accessed.
Congressional and bureaucratic turf fights over state versus federal authority have hamstrung such legislation for a decade, along with the problem of assigning responsibility for securing data and informing consumers of breaches in a complex, interdependent business ecosystem.
House Financial Services financial institutions and consumer credit subcommittee Chairman Blaine Luetkemeyer, R-Mo., recently circulated revised draft language of his breach-notification bill and plans to hold a legislative hearing in the coming days. A markup would follow shortly, according to sources. Nothing has been put on the calendar so far.
Sources on Capitol Hill and in the business community have suggested that maintaining an alliance among the financial services, retail, and telecommunications sectors is essential to avoiding conflicting approaches by the House Financial Services and Energy and Commerce panels, which doomed past legislative efforts.
“The draft is a strong first step toward actually moving a bill,” said Jason Kratovil of the Financial Services Roundtable. “We hope they find a way for the two committees to work together. Hopefully, this will be the Congress in which a bill actually passes at least one chamber.”
But issues such as the responsibilities of third-party contractors are already threatening to unravel the industry coalition. The Luetkemeyer language says such third parties only need to notify the “covered entity” – such as the retailer that hired the contractor – which in turn would have to tell consumers there has been a breach.
Retail groups and the real estate sector are drawing a bright line around that language, saying the third-party contractor should have to notify the consumer and take the blame for the breach.
Unless the language is changed, a retail source said, that sector will walk away from the compromise.
If that happens, the Financial Services Committee may pass a bill in the coming weeks that will be shunned by the Energy and Commerce Committee. With the two committees at loggerheads, the House GOP leadership might abandon the whole enterprise, according to sources.
House GOP leaders have no interest in getting in the middle of a retail-financial sector fight just as election season heats up, according to sources on and off Capitol Hill.
“We have been working with retailers throughout the process,” said a source close to Luetkemeyer. “The congressman has met with them several times, and we’ve had productive conversations.” Those talks continue, the source said.
If the hurdles can be overcome in the House, an obstacle course awaits in the Senate, where lawmakers such as Sen. Kamala Harris, D-Calif., and Richard Blumenthal, D-Conn., are likely to wage war against any language that would preempt tougher consumer data protection laws enacted in their states.
Other bills aimed at financial-sector cybersecurity are also pending, such as creating specific cyber rules for credit agencies such as Equifax, and addressing the safety of certain Securities and Exchange Commission systems. But it’s unclear whether they will advance.
On election security, House Democrats recently urged McCaul to hold a hearing on their bill to create cybersecurity standards for voting systems, but that kind of regulatory approach is unlikely to find favor among Republicans.
The chairman of the federal Election Assistance Commission recently said that body has sufficient funds to meet state-level requests for help in securing systems. It’s unclear whether Congress will try to pass anything on this hot-button issue.
Likewise, legislation on social media trolling at the behest of foreign powers hasn’t moved at all. Recommendations expected soon from the Senate Intelligence Committee as part of its Russia investigation could provide a boost for such legislation.
Also, it remains to be seen whether the House and Senate homeland panels will take up legislation banning two Chinese telecom companies from government contracts. Sources close to the legislative sponsors have said in recent weeks that GOP leadership may be wary of the bills, but supporters continue to add cosponsors, so pressure for movement may be building.
