Cybersecurity policy has hardly been an issue in this Congress, although that could change in a small but significant way in the coming weeks.
Bipartisan leaders of the House and Senate homeland security committees are pushing for July floor action on legislation that would revamp the way the Department of Homeland Security is organized to address cyberissues.
The legislation also could include industry-sought language clarifying certain liability protections available to businesses that participate in cybersecurity information-sharing programs. Voluntary information sharing is at the heart of government and industry efforts to secure cyberspace, and guarantees of liability protection are seen as essential to making the process work.
Without that protection, industry lobbyists say, companies won’t share what they know about cyberthreats amid fears of lawsuits, regulatory action by federal and state agencies or public disclosure of their potential vulnerabilities.
The Cybersecurity Act of 2015, passed last December, included long-sought legal protections for companies, but enduring uncertainty over the scope and scale of that liability coverage continues to hobble development of the info-sharing ecosystem, according to industry sources.
On the broader issue of DHS reorganization, a bill by House Homeland Security Chairman Michael McCaul, R-Texas, was unanimously approved in committee on June 8 and supporters are urging House leaders to bring it to the floor.
“July is our target,” said a House source.
The Senate Homeland Security and Governmental Affairs Committee has yet to pass a DHS reorganization bill. Sources said the panel’s leaders and staff are reviewing draft legislation and are also eying action in July.
Sources on the House side said the two committees have been engaged in extensive discussions and are expected to take similar approaches. “We’re actively engaging with the Senate committee,” said a House source. “They’re looking at our bill and figuring out their path.”
DHS officials last year first raised the idea of restructuring the National Protection and Programs Directorate, which deals with cyberissues, and changing its name to something less clunky and oblique.
But lawmakers angrily complained that they first heard about the DHS effort in press reports, which never bodes well for a department’s legislative wish list.
Following a series of meetings between DHS officials and congressional staff, the department submitted a reorganization proposal to the homeland panels last March.
The bill that passed the House Homeland Security Committee this month “represents about 90 percent of what DHS was seeking,” according to a House source.
The House bill would rename the NPPD as the Cybersecurity and Infrastructure Protection Agency, to be led by a director of national cybersecurity.
“The mission of the agency shall be to lead national efforts to protect and enhance the security and resilience of the cyber and critical infrastructure of the United States,” according to the bill.
A congressional source said the DHS reorganization bill could be used to offer additional assurances and clarity to industry on how the liability protections apply when companies share cyberthreat indicators.
Lawmakers continue “to monitor to see if tweaks need to be made to clarify the [2015] law and congressional intent,” the source said. “But of course [the DHS bill] could be a vehicle to make technical corrections if we find it to be necessary.”
The source added: “If we find a need to make technical corrections, we could do so at any stage in the process — before or after House floor consideration. Right now there are no plans to do so. [It’s] just too early to make that definite determination right now.”
The House is on recess next week, then returns for a two-week session before adjourning until September for the national conventions in July and a five-week August recess.
The Senate will be in session each week until mid-July before it breaks for the conventions and recess.
Charlie Mitchell is the editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
