Security news that informs and inspires

Behind the Rising Tide of Cybersecurity Legislation

By

At the 2021 Aspen Cyber Summit this week, lawmakers discussed why cybersecurity legislation is picking up - and challenges in the legislative process.

Cybersecurity legislative efforts have been gaining momentum at a rapid pace, fueled in part by bipartisan cooperation and also by a sense of urgency in securing critical infrastructure and other systems, said lawmakers during the 2021 Aspen Cyber Summit on Wednesday.

Over the past year, high-profile cyberattacks like the Colonial Pipeline hack and the SolarWinds attack have thrust issues like supply chain security and ransomware into the spotlight - and brought a tightened focus around the role of the U.S. government in preventing such attacks.

On the heels of these cyberattacks, lawmakers have been introducing bills aimed at transparency around data breaches and ransomware attacks, as well as bolstering cybersecurity protections for both the government and for various private sector industries.

“We all want to try to figure out a way to stop these cyberattacks,” said Rep. John Katko (R-N.Y.) on Wednesday. “All these bills are percolating up and gaining traction. A lot of them were put under the NDAA [National Defense Authorization Act] this year because we all know we need them.”

Just this week, a slew of newly proposed bills tackled significant issues like ransomware and critical infrastructure security. On Tuesday, Katko introduced the Securing Systemically Important Critical Infrastructure Act, which aims to help establish a more transparent process for designating and prioritizing “systemically important critical infrastructure.” Also introduced on Tuesday was the Ransom Disclosure Act, which would require U.S. businesses to disclose ransomware payments within 48 hours of the payment.

Agreement Across the Aisle

Lawmakers on both ends of the political spectrum agree that cybersecurity is a top issue facing the country, which plays into the increased momentum around these legislative efforts, said Katko on Wednesday.

Last week, a bipartisan bill called the Cyber Incident Reporting for Critical Infrastructure Act of 2021 was formally introduced and sponsored by both Katko and Rep. Yvette D. Clarke (D-N.Y.), for instance. The legislation would allow the Cybersecurity and Infrastructure Security Agency (CISA) to require infrastructure firms to report a cyberattack within 72 hours of a breach.

“I’m very bullish on the bipartisan nature of homeland security,” Katko said. “Everyone, whether they’re Democrat or Republican, whether liberal or conservative… We all want to do the same thing, we want to try to figure out a way to stop these cyberattacks.”

Sen. Angus King (I-Maine), the co-chair of the Cyberspace Solarium Commission - charged with making recommendations for how the U.S. should overhaul its cybersecurity strategy - agreed. King said he saw “zero” partisan tensions on the commission while it developed 75 recommendations in a 2020 report outlining ways to overhaul federal cybersecurity.

“I don’t even know the parties of most of the members of the commission, it never came up… We’ve had 47 meetings as of last Monday, and there hasn’t been a single moment of partisan discussion,” said King. “This is not a partisan issue.”

Hurdles in the Legislative Process

Given the momentum of these legislative efforts, why hasn’t Congress made more progress in combating cyber threats? King said that one roadblock is “territorial imperative” across various governmental committees during the legislative process.

For instance, when 25 amendments were adopted last year in the NDAA, at least 180 clearances were first required from different committees and subcommittees, he said.

“No committee wants to give up an ounce of its jurisdiction and cyber is scattered all over the Congress,” he said. “You need clearance from Democrats and Republicans on five different subcommittees… that’s just the nature of the process.”

The Cyberspace Solarium Commission has attempted to address this issue by recommending the formation of a select committee - a small legislative committee appointed for a special purpose, in this case for cybersecurity. However, “I don’t expect that proposal to go anywhere,” said King.

“It’s the reality of how Congress works,” he said. “We have different committees with different jurisdictions no one wants to give up, so it’s just a long slog.”

Steps in the Right Direction

Despite these challenges, lawmakers remain optimistic that progress is being made in bolstering legislative efforts that combat cyber threats. King said that 25 of the Cyberspace Solarium Commission’s proposals have been codified into law, for instance.

Beyond legislation, lawmakers pointed to increased collaboration between the public and private sectors and improvements across the government’s strategy overall in working to prioritize cybersecurity efforts, particularly with the implementation of the role of National Cyber Director in the government.

“This is an administration that had a very short runway in terms of building out its administration for the job, but I think they clearly understand - given the volume of attacks on critical infrastructure in particular - that they have to get on the ball,” said Clarke on Wednesday.