This article is part of the monthly CSI5x5 series by the Cyber Statecraft Initiative, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the CSI5x5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at [email protected].
How many Congressional committees does it take to oversee cybersecurity? Apparently, dozens.
Approximately eighty congressional committees and subcommittees claim jurisdiction over at least some dimension of cybersecurity policy. The topics range from privacy rights to Internet of Things (IoT) safety to defense technologies and everything in between. With many committees and subcommittees overseeing these dimensions of cybersecurity, and Congress’s quickly filling agenda, bills that could protect Americans from cyberattacks may face long waits before being passed. Congress has its hands full and as the agenda for the coming years is only getting more crowded, it must improve its agility in order to pass meaningful cybersecurity legislation.
Cyber Statecraft Initiative experts go CSI5x5 to assess how Congress should govern over cybersecurity.
#1 What has been the Congress’s greatest legislative win on cybersecurity in the past decade?
David Bray, director, GeoTech Center:
“Congress’s 2018 National Defense Authorization Act which included authorization to conduct background investigations for up to 80 percent of Department of Defense personnel. This was finalized in 2019 with a presidential executive order starting the transfer from what had been the Office of Personnel Management/National Background Investigations Bureau to the new Defense Counterintelligence and Security Agency (DCSA) out of what had been the Defense Security Service. In addition to overseeing 95 percent of all government clearances, DCSA provides oversight to approximately ten thousand cleared companies under the National Industrial Security Program, ensuring that the US government information they are entrusted with and the critical technologies they develop are properly protected.”
Ryan Ellis, assistant professor, Department of Communication Studies, Northeastern University:
“That’s a tough one. There have been bright spots here and there, but the biggest win is possibly a story of inaction. Despite cycles of attention and real political pressure, Congress has not (yet!) passed legislation that seriously undermines the deployment of strong encryption. Legislation mandating backdoors has not come to pass. This is good news. Mandating backdoors would be a disaster for security and privacy.”
Meg King, strategic and national security advisor to the CEO & President; Director of the Science and Technology Innovation Program, The Wilson Center:
“I have to pick two. First, authorizing the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security made the organization a household name. Too few understood the role of CISA’s predecessor (the National Protection and Programs Directorate or NPPD), and the rebrand focused energy and resources on clearer missions. Congress also significantly increased its funding. Second is the United States-Mexico-Canada Agreement (USMCA). Most would be surprised to learn that ratification of the USMCA by Congress earlier this year was a legislative win for cybersecurity. With its adoption, USMCA became one of the first trade agreements in the world to include commitments on cybersecurity policy through its new Digital Trade chapter in which the Parties agreed to principles for cybersecurity policy consistent with America’s NIST Cybersecurity Framework––a widely adopted benchmark for effective management of cyber risks.”
Ronald A. Marks III, president, ZPN National Security and Cyber Strategies; former Central Intelligence Agency and Capitol Hill official:
“Establishing CISA. For the first time you have a non-intelligence, non-military, non-judicial/legal organization that can be an equal with other players in the US government and represent a straight-forward US government ‘buttonhole’ to the private sector.”
Heather West, former head of public policy for the Americas, Mozilla:
“One win is the application of sanctions on countries that have been involved in targeted cybersecurity offensives, especially when it comes to election interference. While cybersecurity in general is an incredibly broad issue to attempt to address, the use of cyberattacks by nation-states and directed towards the United States is much more clear-cut. And while there was potential for partisan infighting over these sanctions, the successful passage of sanctions was a demonstration that Congress is prioritizing protecting Americans and American infrastructure from these actors.”
#2 Where are lawmakers most glaringly falling short on cybersecurity?
Bray: “Very few have done it, or have staffers who have done it, themselves. It has become a partisan issue and one in which there is more theater versus discussion about how to change this from being a series of band-aids after band-aids on the issues to a holistic rethink of new strategies to get at the real root of the issues––for example, a significant number of services on the Internet were not designed for an era of scarce computation cycle or memory storage compared to today’s technologies, and thus, in some cases, were not built with security or attribution as the paramount goal. While not the model for what the United States should do, recently China has proposed New IP demonstrating their interest in technologies that would protect against digital abuse, yet also would take away privacy and free speech. Ideally in 2021, the United States would work with like-minded nations to offer a counter proposal to New IP that embodies the values that open societies have while also striving to find better ways to permit openness, improving security, and protecting against digital abuse.”
Ellis: “It is, I am afraid, hard to pick on just one! But, as many others have pointed out, thinking specifically here of Jason Healey’s piece in Lawfare earlier this summer, one of the biggest failures is the continued comparative lack of funding and attention for ‘defense.’ While the Department of Defense continues to invest in its ‘offensive’ cyber capabilities, spending on defense—meaning support for creating and maintaining secure and resilient software, networks, and devices—lags. Defending forward is all well and good (and maybe even a necessity), but failing to pair these investments with a comparatively serious efforts to fund the Department of Homeland Security (and others) to fulfill their cybersecurity mission is a failure.”
King: “Because of the nature of the threat, cybersecurity committee jurisdiction is extremely broad. At the same time, many possible solutions require governing in a non-traditional way: like co-locating public with private sectors to analyze and respond to threats faster together, relying on tools and information shared by both. That’s a legal mess that isn’t easily fixed by any legislature. Meanwhile, it is extremely difficult to write laws that won’t be quickly overtaken by rapid technology advances. Where most lawmakers tend to fall short on cybersecurity is finding time to keep current on the evolving threat landscape and understanding what technical and policy solutions might evolve to bridge gaps. In the absence of any consistent technology research or training resources, the Wilson Center operates the Congressional Tech Labs to help.”
Marks: “I would say two areas: 1) Cyber Budget/program consolidation through a National Cyber Director for the Executive (working on it) and the same consolidation on interests in the Legislative budget and oversight process; and 2) not getting the right/enough staff talent on the Hill to support the legislators with cutting edge understanding and ideas.”
West: “Despite Congress increasingly understanding the importance of strengthening our cybersecurity stance as a nation, it seems that we’re mostly looking to the products directly used by the government or sold by the largest companies—and open source projects and consumer products are not seeing the same progress. I hope that lawmakers take the time to learn about the huge swaths of internet infrastructure that are open source—and that usually don’t have the same resources as larger companies. Indeed, many bedrock technologies and standards of the internet are not adequately resourced or secured, despite relying on this underlying infrastructure. Incentivizing companies to secure their products should be done in parallel with work to provide resources to secure widely used open source projects and creating secure open standards.”
#3 Has cybersecurity become a partisan issue in Congress? Should it?
Bray: “Things digital and IT have become partisan issues in Congress with regards to how government operates, yes. When a private sector major event happens there also seems to be a lot of visible concern, even if little changes happen as a result. This politicization probably has origins back to the initial stumbles associated with the launch of Healthcare.gov and the subsequent political division over not just the associate policy but also the digital platform. That said I’m not sure the right lessons were learned from Healthcare.gov or other situations; the right lesson was that the government should not require all intended features to be available by a specific date or else they’re going to preclude agile development and force waterfall development which is risky. The private sector does prolonged periods of open betas and phased launches for any major endeavor. I’m not sure if the budgetary cycles of the US government align with doing agile efforts with cybersecurity baked-in to every part of the development process either within government or with industrial base partners.”
Ellis: “Yes and yes. Cybersecurity is partisan for a good reason: decisions about cybersecurity necessarily require difficult trade-offs between often competing goals. There are fundamental and real differences about how best to balance, for example, security, freedom of speech, privacy, and economic efficiency. At a basic level, decisions about security necessarily prioritize certain values (and users and uses) over others. These are fundamentally political questions—they can’t help but be partisan.”
King: “Compared to other policy challenges, cybersecurity largely enjoys bipartisan collaboration. But there’s still a disconnect, especially when it comes to securing elections. According to Pew Research Center, 87 percent of Democrats believe a hostile power will tamper with US elections compared with 66 percent of Republicans. Although political campaigns are by definition partisan, protecting them from foreign influence on the cyber front should not be. As CISA Director Chris Krebs said at a recent Wilson Center event, the United States must fully integrate ‘the Zero Trust concept, where you just assume the network front to back is adversary territory.”
Marks: “Yes, it has to be. Civil liberties questions abound with information control and information use by public and private sector entities. Oversight and debate are crucial. And it’s Congress’s job to debate/control the ‘power of the purse’ guiding spending.”
West: “There are very few issues that benefit from a partisan approach in Congress—so I am very happy to see largely bipartisan efforts around cybersecurity. I hope that cybersecurity doesn’t become more polarized, despite the current state of politics. Recent intelligence reports have made it clear that major efforts are targeting both parties, so this should remain a bipartisan issue.”
More from the Cyber Statecraft Initiative:
#4 Is a consolidated umbrella committee appropriate for managing cybersecurity or should responsibility for cybersecurity’s many topics be layered onto existing authorities?
Bray: “Before consolidating at the committee level, perhaps we should first consider that it doesn’t make sense for the executive branch to have each agency and department doing their own cybersecurity—this wouldn’t happen across different divisions in the private sector. Instead perhaps we need three specific executive branch designees responsible for cybersecurity: 1) one sole designee for cybersecurity elements associated with national security activities, 2) one sole designee for cybersecurity elements associated with justice, law enforcement, critical infrastructure, and public safety activities, and 3) one sole designee for cybersecurity elements associated with all other civilian activities. If we combine these designees into these three groups to be responsible for executive branch actions relating to cloud services, privacy protections, and cybersecurity combined, we’ll get economies of scale. Then we can consider potential Congressional committee-level mergers to match these executive branch designees.”
Ellis: “In terms of Congress, the existing structure of committees should or least could work—the issue here is a lack of political will, not structural or bureaucratic impediments. Prioritizing the CISA—beefing up their budget and capacity—can and should be a priority. Inside the executive branch, we don’t have to reinvent the wheel. Restoring the cybersecurity coordinator within the National Security Council should be a priority. These changes would provide significant upside without having to create a new consolidated committee.”
King: “It is unlikely—for both political and logistical reasons—that cybersecurity issues will ever be contained in single umbrella committees in each chamber. But jurisdiction could be streamlined and the number of committees reduced, which would make oversight more efficient and effective.”
Marks: “The Cyberspace Solarium Commission wants designated oversight committees, but it’s unlikely to happen. Leadership designating the House and Senate Budget Committees with special ‘cyber interest’ might be the next best centralizing alternative––setting limits/guidance on budget and program support issues related to cyber.”
West: “A hybrid approach would be best suited, giving each committee a space to address relevant cybersecurity issues—which is not to say that there aren’t potential ‘umbrella’ bills that should be considered. Cybersecurity provisions can be added to any number of existing laws and authorities, and every government agency should be continually working on their cybersecurity stance and the cybersecurity stance of the companies and entities that they oversee or regulate. That means that there should be somewhere in each committee—potentially a subcommittee—that looks at cybersecurity issues, whether that’s in health, military, or internal administration. We can’t ‘win’ cybersecurity in a single push, but we can make concrete and incremental changes that improve cybersecurity for everyone across sectors and committee jurisdictions.”
#5 What hasn’t Congress tried, or what is it doing that it could do better, to attract more cybersecurity expertise?
Bray: “Launch a Cybersecurity Reserves force that could work full-time jobs in the private sector and spend a specific number of days a month in support of the activities of the US government. Also recognize that cybersecurity is not just about ensuring software, hardware, and networking technologies do what they are intended to do and are not exploited or abused; it is also about social engineering, misinformation and disinformation, and other human element attacks where, even if the machines operate as intended, the humans find novel ways of using machines to trick other humans to do unhelpful or harmful behaviors. This includes bots that spread misinformation, steal digital identities, or polarize the US public in ways that divide us as a nation. Our information environments, which support commercial and essential services, have become both digital and data banks to be robbed and battlegrounds for conflicts.”
Ellis: “A first step—which would have positive impacts beyond cybersecurity—would be to restore and reinvigorate the Office of Technology Assessment (OTA). Long-since defunded and left to rot, OTA provided expert advice to Members of Congress. Deciding how to balance competing aims, as noted above, are political questions. But in order to reasonably assess and weight these competing aims, technical insight and expertise is a necessity. A revitalized OTA would be an important first step (but only a first step) in making sure that political debates are informed by sound science.”
King: “We expect a lot from our legislators: to win elections in a hyper-partisan environment and then not only fix systemic problems that no one person can change alone, but have the expertise to do so. And even if Congress had all the cybersecurity talent in the world at its fingertips, it simply is not possible to address all priorities equally. Especially during overlapping crises like a pandemic and a crumbling economy.
“Non-profit organizations including my own provide a variety of training programs and fellowships to offer Congress trusted access to cybersecurity expertise when needed. The most successful ones put technology directly into the hands of legislators and their staffs—including the upcoming Hack the Capitol—so that they gain experience actually using these tools and understand how the laws they write might be implemented.
“Perhaps the COVID-19 experience and its impact on the future of work might just be the disruption Congress needed to think differently about how it hires and attracts cybersecurity talent. In many cases, Congress (like many other institutions) relies on an outdated system that prioritizes experience in a professional setting, with an advanced degree. Some of the best software engineers don’t fit into neat molds—and you probably don’t want them to. Looking beyond the usual path and recruiting experts with deep technical expertise who are intrigued by the prospect of public service—even on a remote basis—will be critical.”
Marks: “This is a war of attrition as the Hill rarely moves fast on issues not demanding—in their minds—immediate attention. The older staff and Members of Congress will age out and the newer ones coming in will have greater understanding. As for a program, Congress needs to reinforce its own cyber oversight with talent and commensurate pay the same way they advocate for STEM in the private sector. In the meantime, perhaps a boost in contracting expertise through the Government Accountability Office and Congressional Research Service might ameliorate some of the problem.”
West: “It’s a well-known problem that Congress and cybersecurity experts often speak different languages, have different contexts, and thrive in different cultures. Staff and Members of Congress understand the urgency of cybersecurity issues––even if they’re still working to figure out how to address it. I hope to see Congress continue to bring expertise into all levels of staff and to work in partnership with external experts to understand how to concretely and positively impact the way that we approach securing American infrastructure, from consumer products to sensitive government systems. Congress and staff need to understand that security experts really do work within a different context than Congress—and working to bridge that divide from both sides.
Simon Handler is the assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.