Cybersecurity Faces Challenges in Congress
Lawmakers push for fellow legislators to step up digital protections.
Amid the political scuffles on Capitol Hill about immigration, health care and budget legislation to keep the federal government open, cybersecurity is not necessarily one of the highest policy-making priorities. This must change, some lawmakers say. Cyber attacks, already plentiful and disastrous, will only increase in frequency and scale over time. The United States needs more protections and measures, especially at the federal level, according to some legislators.
Rep. Jim Langevin (D-RI) has long been asking for more robust cyber defenses. The U.S. congressman is co-founder and co-chair of the Congressional Cybersecurity Caucus and a senior member of the House Armed Services and Homeland Security committees.
In 2007, when Langevin was chairman of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, he thought he would be focusing on bioterrorism and the threat of weapons of mass destruction. However, he took notice of the cyber threat after learning about the revealing Aurora Generator Test conducted at the Department of Energy’s Idaho National Laboratory, which staged a computer virus attack on a power generation control system, disabling the diesel generator.
“We held a number of hearings on the potential for cyber intrusions to cause physical damage to critical infrastructure,” the congressman recounts. “What really impressed me was that, despite the potential risk to our national security, there were not a lot of conversations happening on the Hill about the threat.” Shortly after, Langevin and friend Rep. Michael McCaul (R-TX) took it upon themselves to found the bipartisan caucus to raise cybersecurity awareness among fellow lawmakers.
The threat to the nation has not diminished since then. “I firmly believe that cybersecurity is the chief national and economic security challenge we face in the information age,” Langevin says.
At the beginning of their efforts with the caucus, cybersecurity was a niche issue, “and I got more than my share of funny looks from fellow members,” he admits. “Today, every member has at least a passing familiarity with the threats we face in cyberspace, and most of them have the desire to learn more.” While some of that awareness stems from the caucus’s work, unfortunately, a lot of the attention comes from the litany of high-profile breaches, Langevin shares. “It seems not a week goes by without the latest incident featuring in banner headlines and on the nightly news,” he says. “Members are waking up to the fact that improving our cybersecurity posture is critical to our national and economic security, and I certainly see the knowledge level continuing to ramp up.”
Langevin’s top concern remains the lack of appointees to key cybersecurity positions within the federal government. “Protecting the government and critical infrastructure entities needs to be a top priority of the Trump administration, but it is very difficult to do without leadership in place,” he asserts. He also has misgivings about the administration backing away from international engagement following the closure of the cyber coordinator’s office within the Department of State.
“That said, I have largely supported the administration’s policy decisions on cybersecurity, highlights of which include the May executive order and the release of a charter for the Vulnerabilities Equities Process [VEP],” the congressman notes. The executive order looks to strengthen federal networks and critical infrastructure; the VEP policy addresses disclosure of federal cybersecurity vulnerabilities.
To address the rise of more destructive attacks—such as last summer’s NotPetya malware and the Equifax breach—Congress needs to act. “Legislatively, I think we need a national data breach notification law to handle situations like the Equifax breach,” he states. Moreover, it is imperative that the United States “shores up our election cybersecurity before the upcoming votes in November,” given Russia’s “brazen interference with our democracy” in the 2016 presidential election, Langevin adds. Aside from those efforts, Congress should continue to focus on the implementation of existing policies, such as the Cybersecurity Act of 2015.
The cyber caucus will continue with a robust schedule of briefings over the rest of the year, with experts from the federal government, academia and industry to help increase congressional knowledge of threats. “Part of our goal is also to pull in staff that handle other critical infrastructure policy—for example, health care—and help them understand how cyber risks can affect their sector,” he says.
Langevin also has turned an eye toward supporting the cyber capabilities of the reserves and the National Guard. He introduced H.R. 1049 at the beginning of the 115th Congress to propose the creation of a database of all Reserve and National Guard cyber capabilities as part of a Defense Department database of national security and emergency response capabilities. In addition, Langevin, along with other lawmakers, called on Secretary of Defense James Mattis to increase cybersecurity education in junior ROTC at U.S. high schools and universities. While the services incorporate some elements of STEM coursework in the junior ROTC program, they have not made cybersecurity a curriculum requirement.
Meanwhile, Rep. John Ratcliffe (R-TX), chairman of the House Subcommittee on Cybersecurity and Infrastructure Protection, is focusing on the federal government’s cybersecurity posture. In the congressman’s view, this “is a big task that requires constant attention.”
The subcommittee has oversight of the Department of Homeland Security’s (DHS’) cybersecurity and infrastructure protection activities. Although the department’s efforts are vital, Congress needs to continue providing the DHS “with the authorities and tools necessary to carry out these activities while we conduct rigorous oversight to ensure the DHS’ work is being done in the best way possible,” Ratcliffe says. The subcommittee will continue to focus for the rest of the year on the DHS’ implementation of its Continuous Diagnostics and Mitigation (CDM) program as well as on information sharing, the cyber workforce and public-private partnerships, he stipulates.
The CDM program is one of the government’s leading Internet of Things-related security efforts—aside from the Defense Department’s Comply to Connect (C2C) program. Phase one of program, which began in 2012, took stock of the government’s hardware and software assets, configuration settings and management of vulnerabilities. However, the effort revealed that agencies were not aware of an “incredible amount of devices” connected to government networks, the congressman cautioned at a recent subcommittee hearing on the measure. “How can you protect what you can’t see?” Ratcliffe asks.
The DHS’ task is not easy, Ratcliffe recognizes. It has more than 70 federal agencies and departments to work with, and “it is no secret that the government has trouble buying technology,” he states. However, while the government is setting up new programs and buying and deploying more advanced technologies, the threats to federal agencies continue “to grow every minute,” Ratcliffe imparts.
The lawmaker questions whether the DHS actually has access to the necessary cybersecurity platforms for effective continuous monitoring by agencies throughout the other phases of the program. “The maturity of the CDM program has to move at the pace of new technologies and innovations, not at the pace of bureaucracy,” he laments.
On the legislative front, he introduced two measures at the beginning of the 115th Congress: H.R. 239 and H.R. 240, both of which were included in House Majority Leader Kevin McCarthy’s (R-CA) Innovation Initiative. The initiative aims to improve innovation in the private sector and bring additional innovation to the federal government. H.R. 239 contains provisions to support the development of cybersecurity technologies through the DHS’ Science and Technology Directorate. H.R. 240, meanwhile, would require the DHS to work with emerging technology companies, including small businesses and startups, to address homeland security needs. While both measures have passed the House, they have not yet advanced past the Senate’s Committee on Homeland Security and Governmental Affairs.
A third bill from Ratcliffe, H.R. 1616, has found more success. It became law last November and includes measures to strengthen the ability of state and local governments to fight cyber crime. The legislation authorized a National Computer Forensics Institute within the Secret Service between last fiscal year and FY 2022. The institute’s role is to disseminate information regarding the investigation and prevention of cyber crimes and related threats, including educating and equipping state and local law enforcement officers, prosecutors and judges for cyber crime issues.
Ratcliffe wants the DHS’ National Protection and Programs Directorate redesigned as the Cybersecurity and Infrastructure Security Agency, as suggested by another piece of legislation, H.R. 3359. The agency would be headed by a director of national cybersecurity and infrastructure security, who would lead efforts to protect and enhance U.S. cybersecurity, emergency communications and critical infrastructure, according to the proposal passed by the House.
The lawmaker will continue to work on cyber-related bills and remains optimistic, in general, about the state of cybersecurity. “As this issue continues to rise in importance, it has remained one of the most bipartisan issues of our time, which has allowed us to make great strides in our efforts to fortify our country against our cyber adversaries,” Ratcliffe says. “This gives me great hope that we’ll continue seeing productive partnerships, not just in our own government but also with other countries and with private-sector leaders who are willing to work it out in everyone’s best interest.
“I often talk about how cybersecurity is the uncharted frontier of the 21st century. We’re at the brink of a ‘cyber moonshot,’ if you will,” he opines. “I think folks should know that we’ve got to keep building on the progress we’ve already made so we can ensure we don’t fall behind. Our cyber adversaries certainly aren’t slowing down, and neither should we. I’m glad folks are seeing how imperative that is.”