The cybersecurity legislation agenda: 5 areas to watch
New digital threats that could topple business, government, military and political institutions is moving cybersecurity to the top of the congressional agenda. The newly seated 116th Congress has so far seen 30 bills introduced in the House of Representatives and seven bills introduced in the Senate that directly deal with cybersecurity issues. That does not include other pieces of legislation that have at least some provisions that deal with information and digital security.
A key problem in grappling with such a complex issue as cybersecurity in Congress — and in Washington in general — is the diffused responsibility spawned by the wide-ranging, interconnected nature of the topic. Representative Jim Langevin (D-RI), a member of the Armed Services and Homeland Security Committees, and one of the founders of the Congressional Cybersecurity Caucus, flagged this stumbling block at the 2019 State of the Net conference in January by calling for consolidation in Congress over cybersecurity.
Noting that around 80 groups within the legislative branch claim some jurisdiction over cybersecurity matters, Langevin said, “We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we can’t do it under the current construct.” Langevin wants the House Homeland Security issue to take the lead on all matters related to cybersecurity.
For the time being, the multiplicity of congressional committees and subcommittees with jurisdiction over cybersecurity combined with the complexity of the topic, which bleeds into other issues such as privacy and national security, makes it difficult to gain the momentum needed to actually pass meaningful cybersecurity legislation.
To clarify the current legislative state-of-play, the following are the broad-brush arenas in which congressional action of some kind will likely occur over the next two years.
With looming threats to the nation’s water, electric, transportation and other critical infrastructure sectors, a number of bills have been introduced. They tackle protecting the essential services that many believe are outdated and ripe for exploitation by malevolent actors. Several pieces of legislation dealing with critical infrastructure that failed to pass in the last Congress have already been teed up again for possible enactment during this session.
Given that (ISC)2, the nonprofit association of certified cybersecurity professionals, estimates that there is now a shortage of almost three million cybersecurity professionals globally, it’s no surprise that the lack of cybersecurity expertise, particularly in the federal government, is a top topic for lawmakers.
In the midst of high-profile and controversial bans on the use of foreign technology by U.S. government and military offices, it’s no surprise that legislation tackling supply chain cybersecurity threats.
As mentioned earlier, H.R.1 has provisions for bug bounties, but another cybersecurity bill, one that the full Congress has already passed:
Even with this ambitious agenda, expect even more cybersecurity-related bills in the coming weeks and months. In particular, Senator Ron Wyden’s planned introduction of the Consumer Data Protection Act, is worth watching. That bill would empower the FTC to establish minimum privacy and cybersecurity standards, impose steep fines (up to 4 percent of revenues) on companies that violate privacy and security standards and even permit prison sentences for senior executives for their companies’ privacy and security violations.
Finally, Representative Langevin said he plans to reintroduce a bill he sponsored in the wake of Equifax’s massive data breach in 2017, the Personal Data Notification and Protection Act, which provides for a single national breach notification standard, giving companies 30 days to disclose any breach of consumer data.
More on critical infrastructure:
This story, "The cybersecurity legislation agenda: 5 areas to watch" was originally published by CSO.