Candidates lay out their positions on a number of topics during the election cycle—taxes, immigration, criminal justice, and climate change—but cybersecurity and privacy doesn't really get a lot of attention. However, with the focus on election security, nation-state attacks, and massive data breaches, there is growing pressure on the federal government to do something.
Within Congress, there is a sense that privacy and security can't be ignored, or treated as less important. Some lawmakers have shown they grasp the seriousness of the situation and have held hearings, written letters requesting information, and introduced legislation. One way to suss out how the security and privacy agenda will unfold in the 117th Congress is to look at what these Senators have done and said previously.
This isn't intended to be an exhaustive list of every Senator or new member arriving in January. Many of the Senators who will make up the 117th Congress were not up for reelection or handily won their contests, so how much of how they shape the Senate’s agenda will likely remain unchanged. While there are 17 members of the Senate Cybersecurity Caucus, there are plenty of Senators who are active on security and privacy topics and not members of the caucus.
Sen. Ben Sasse (R-Neb) is not an official member of the caucus, but he participated on the bipartisan Cyberspace Solarium Commission, which made more than 75 security recommendations for the executive and legislative branches of government. If the Solarium's recommendations get implemented, such as establishing a national cyber director, forming Senate Cybersecurity Committees, and allocating more power to CISA, it could significantly change privacy and security policy.
One of the new members that could bring some fresh energy is former Colorado governer John Hickenlooper, who unseated Sen. Cory Gardner (R-Colo), the co-sponsor of the Internet of Things Cybersecurity Improvement Act (which just passed Congress unanimously) and co-founder of Senate Cybersecurity Caucus.
A New Voice in the Senate
Hickenlooper comes with solid cybersecurity credentials, as he—while governor of Colorado— laid the groundwork to create the National Cybersecurity Intelligence Center to serve as a rapid-response center for businesses under attack and to commercialize cutting-edge research. The idea was to eventually have six or so centers around the country focusing on different aspects of cybersecurity. As governor, he also signed the “Cyber Coding Cryptology for State Records” bill into law, which provided support for education, training and workforce development with a focus on cybersecurity, blockchain and related technologies.
Hickenlooper was also a Democratic presidential candidate for a few months in 2019. While his campaign was short, he was one of the few candidates in the crowded field who talked about cybersecurity, such as creating a position of “Director of National Cybersecurity” to formulate a 20-year plan to coordinate efforts among existing security and intelligence agencies.
In an interview when he was running for President, Hickenlooper told Decipher the United States needed “constant engagement” around cybersecurity. This would involve focusing on all the partners around world, even the ones with a more adversarial relationship, he said.
“By keeping engaged consistently with them, we could bring more pressure on places like Iran, and we can do a better job of addressing the global issues that really are global, like pandemics like Ebola, climate change, cybersecurity," Hickenlooper told Decipher. It's important to look at on the small focus of, alright, here's what we're going to do around Iran. But on the larger scale, we've got to recognize that we need a network of constant engagement."
Caucus Stays the Same
Gardner may not be the only member of the Caucus missing in the next Congress. Sen. David Perdue (R-Ga), who introduced the Cybersecurity Advisory Committee Authorization Act of 2020 to establish an advisory committee at the Cybersecurity and Infrastructure Agency to coordinate and improve the country’s cybersecurity efforts, appears to be heading for a runoff election in January.
Sens. Angus King (I-Me.), Michael Bennet (D-Co), John Thune (R-SD), Tom Carper (D-Del), John Boozman (R-Ar), Maria Cantwell (D-Wash.), Maggie Hassan (D-NH) and Jacky Rosen (D-NV) are members of the caucus but were not up for reelection this year.
Sen. Mark R. Warner (D-Va), the top Democrat on the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, won re-election. He has taken a leading role in tackling tackling foreign disinformation and pushing Congress to consider legislation funding and securing emerging technologies such as 5G. If the Democrats take control of the Senate (pending the outcome of the run-off elections in Georgia), he will likely become chair of the Intelligence Committee. Warner was one of the critics when the White House eliminated the cybersecurity czar role.
Sen. Gary Peters (D-Mich), who narrowly won re-election, had introduced the Continuity of Economy Act of 2020 to develop a plan to ensure essential functions of the economy continue in the event of a cyber-attack and the National Guard Cyber Interoperability Act of 2020 to enable the National Guard to provide remote cybersecurity support and technical assistance to help states respond to cyber incidents. Sens. Chris Coons (D-Del), Mike Rounds (R-SD), Ed Markey (D-Mass), Tom Cotton (R-Ar) all won reelection, with much more comfortable margins.
Sen. Markey is one of the more active members of the Senate on security topics, introducing a flurry of bills and writing letters to companies and agencies about how they handle cybersecurity. Letters include asking the FCC to act on SIM swapping; calling on the FTC to investigate data brokers; requesting information from the National Highway Traffic Safety Administration (NHTSA) regarding risks and vulnerabilities of internet-connected cars; and asking the Department of State why it wasn’t using multi-factor authentication. He has also been one of the vocal voices about the government’s use of facial recognition technology, especially by law enforcement, and has written letters to Clearview AI about its practices. He also urged the FTC to issue comprehensive guidelines for companies that provide online conferencing services so that people working from home can be secure as they spend more hours on conference calls.
Markey sponsored the privacy bill Consumer Online Privacy Rights Act (COPRA); the Cyber Shield Act to create a voluntary cybersecurity certification program for Internet of Things (IoT) devices; the Security and Privacy in Your Car (SPY) Act to establish a rating system telling consumers about a vehicle’s performance capabilities and a cyber coordinator at the Federal Highway Administration; and multiple bills enhancing the security of airplanes and maritime systems; to name a few.
Markey and Cantwell introduced the "common-sense" bill, Consumer Online Privacy Rights Act (COPRA), a "common sense bill" which would make companies responsible for obtaining permission before collecting, sharing, and retaining sensitive information, including biometrics and location data.
Sen. Rounds has spoken about disinformation campaigns, election security, and the military’s ability to respond to cyberattacks. He introduced the National Cybersecurity Exercise Act in 2018, which would have required Cyber Command and others to conduct a “tier 1 exercise” to support civil authorities during a cyber incident. The bill died without coming to vote.“The U.S. defense strategy must include protecting our military and civilian infrastructure from cyberattacks,” Rounds wrote last year.
Sen. Coons co-authored an opinion piece “U.S. Cybersecurity Is Too Weak” in TIME magazine back in 2017, and co-sponsored the Cyber League of Indo-Pacific States (CLIPS) Act to establish a community of regional allies and partners to combat cyberattacks that threaten the U.S. economy.
Sen. Cotton has been one of the most vocal members over the continued presence of Huawei and ZTE equipment in U.S. networks, alleging that the companies have extensive ties with the Chinese Communist Party. He supported the Commerce Department’s decision to remove these technologies from government networks and has urged for an outright ban. Cotton also joined Sen. Ron Wyden (D-Ore) in a letter last year to the Senate Sergeant at Arms asking for information about the scale of successful hacks of Senate devices, including smartphones.
Cotton, Warner, Perdue, and Markey all joined Sen. Richard Blumenthal (D-Conn) in a letter to the Department of Defense and Department of Homeland Security in April urging Cyber Command and CISA to take more action to protect healthcare organizations from increased attacks during the pandemic.
“Unless we take forceful action to deny our adversaries success and deter them from further exploiting this crisis, we will be inviting further aggression from them and others,” the letter said. “The cybersecurity threat to our stretched and stressed medical and public health systems should not be ignored.”
Senate Stays Same
There are plenty of other voices outside the caucus, including the previously mentioned Sens. Sasse, Wyden and Blumenthal. Sasse was part of the Solarium. Many of these Senators who have previously sponsored security legislation or spoken on the topic were not up for reelection this cycle.
Sen. Josh Hawley (R-Mo.) introduced the Do Not Track Act, a bill that would establish a single mechanism through which people could prevent websites from tracking them as they move around the web. That measure is designed to protect people from surveillance that is largely invisible to them. Sen. Rob Portman (R-Ohio) sponsored the DHS Cyber Hunt and Incident Response Teams Act to establish threat hunting teams dedicated to helping agencies find threats and recover from cybersecurity incidents.
Sen. Kirsten Gillibrand (D-N.Y.) sponsored the Data Protection Act, aimed squarely at major platform providers and data brokers. The SAFE DATA Act, introduced by by Sens. Roger Wicker (R-Miss.), John Thune (R-S.D.), Deb Fischer (R-Neb.), and Marsha Blackburn (R-Tenn.),gives individuals the opportunity to see, correct, or deleted data collected on them by their privacy policies. The bill also would have required the FTC to create and maintain a registry of data brokers. Sen. Elizabeth Warren (D-Mass) tried to establish criminal liabilies for CEOs and other senior executives in the case of data breaches with the Corporate Executive Accountability Act.
Wyden may be one of the hardest working members of the Senate on security and privacy issues. Like Markey, Wyden has asked a lot of questions about the accuracy of facial recognition systems and the erosion on individual privacy. Wyden, Markey, and Sen. Cory Booker (D-NJ) (who won reelection) asked the chiefs of 39 federal law enforcement agencies to provide information as to whether they use facial recognition, the circumstances under which they are used, and what databases are used to run facial matching tools. Wyden has been a consistent voice for putting restraints on law enforcement to access to people's information.
Blumenthal is also very active. He has urged estalibshing a “privacy bill of rights”, based in part on the European Union's General Data Protection Regulation. He has said there are so many privacy threats right now that most people don’t even have a handle on what they are.
As the chair of the powerful Senate Judiciary and a vocal supporter of the concept of 'lawful' encryption, Sen. Lindsey Graham (R-SC) has played a role in shaping the Senate's agenda. He decisively defeated his Democratic challenger to stay in the Senate, and is expected to continue his push for giving law enforcement backdoor access in to encrypted communications, as well as punishing technology companies. Graham and Blumenthal were co-sponsors of the highly controversial EARN IT Act, which would trip tech companies of liability protections for what users share on their platforms if the don't follow new rules. The bill was ostensibly designed to prevent online child exploitation, but could present serious challenges to operators of end-to-end encrypted services because the operators may be forced into granting law enforcement special access to encrypted technologies.