Bills on reorganizing the Department of Homeland Security’s cybersecurity functions and on software vulnerability disclosure appear to be the most likely cyber-policy candidates for action as Congress returns this week to begin the summer legislating season.
The recent “WannaCry” ransomware attack could boost measures like Senate Homeland Security and Governmental Affairs Chairman Ron Johnson’s, R-Wis., PATCH Act bill, which is designed to create a process by which the government would share information about vulnerabilities with the private sector.
In “WannaCry,” the National Security Agency reportedly knew about a Microsoft vulnerability but didn’t let the company know about it. The PATCH Act would put the Department of Homeland Security at the top of an interagency board that would determine when and how to disclose these cyber vulnerabilities.
Sources on the House and Senate homeland security panels, which have prime jurisdiction over both measures, said nothing has been scheduled yet in terms of hearings on either Johnson’s vulnerabilities bill or a separate bill by House Homeland Security Chairman Michael McCaul, R-Texas, to retool DHS’ cyber offices into a unified cybersecurity agency.
McCaul argues that getting the government’s structure right — and clarifying DHS’s prime role on cyber — is one of the most important things policymakers can do right now to strengthen both deterrence and the response to cyberattacks.
Staff for McCaul and Johnson have been working jointly on the details of the DHS reorganization, Johnson said recently. McCaul also continues to work with other House committees that claim a share of jurisdiction over DHS, according to sources.
McCaul has yet to comment on Johnson’s vulnerability disclosure bill, which would put DHS in the lead role on a new oversight board to develop “a consistent policy for how the government evaluates vulnerability for disclosure and retention,” according to a statement by the Senate committee, which adds, “The bill will also create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.”
McCaul and Johnson’s committees will each hear separately this week from Homeland Security Secretary John Kelly about the department’s cyber and other funding priorities.
The upcoming legislative stretch offers a crucial window for lawmakers hoping to advance both policy and spending bills this year.
Congress will be in session for four weeks prior to the July Fourth recess, and then for three weeks before its annual month-long August break.
After that, Congress is expected to be in session into December but lawmakers will face fierce competition in both chambers to find floor time for their proposals. That dynamic places a premium on at least advancing bills through the committee process prior to the August break.
“It does seem that Congress is interested in doing something to show they’re addressing cybersecurity,” said Betsy Cooper, the executive director of the University of California Berkeley’s Center for Long-Term Cybersecurity. Further, she said “Congress’ understanding and expertise around cyber have grown in recent years, which allows them to consider a broader range of issues,” including complex questions such as vulnerability disclosure.
Melissa Hathaway, a top cybersecurity adviser to both Presidents George W. Bush and Barack Obama, agreed that the McCaul and Johnson bills appear to be “the two main initiatives in Congress” this year.
She cautioned, though, that Congress is coming at the cyber policy challenge from a “committee jurisdiction” angle rather than taking a holistic approach, while also warning that the PATCH Act puts responsibilities on vulnerability disclosure at DHS, which may not have the expertise to handle the assignment.
On the other hand, she said, passage of the PATCH Act “would create a process for congressional oversight of vulnerability disclosure, which maybe you want.”
Both the DHS reorganization and vulnerability disclosure measures also have critics who say the bills represent a missed opportunity to drive a more coordinated national cyber policy.
“All we’re talking about is legislation to rearrange the deck chairs,” one tech-sector source said of the McCaul bill. And, the source said, the Johnson bill, cosponsored by Sen. Brian Schatz, D-Hawaii, is a very limited response to “WannaCry” that does nothing to address “who’s in charge” of responding to such an attack.
“‘WannaCry’ could’ve been a lot worse, we got lucky,” the source said, saying the episode highlighted the absence of an effective integrated response process.
“The message,” the source said, “is everybody’s on their own.”
Cybersecurity issues have yet to come into focus in either the House or Senate homeland security panels — the House committee has held three cyber-related hearings while Johnson’s Senate panel has held only one so far this year.
But that could change in the coming weeks as the leaders of both of those panels look to put their mark on cyber policy this year, with the legislative clock already starting to wind down.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
