With Congress having returned from the August recess, bright-eyed and bushy-tailed, a host of bills are awaiting these eager lawmakers. However, I will focus only on those bills that have been marked up and reported out of committee or have been passed by one chamber as these bills may be the most likely to be enacted. Of course, there are other issue areas Congress may address with legislation this fall, but as yet, legislation has neither been introduced nor marked up (e.g. privacy, data security, and the PATRIOT Act reauthorization.)
And, it should be noted that past could be prologue with respect to a PATRIOT Act reauthorization. As you might recall, what became the “Cybersecurity Act of 2015” (P.L. 114-113) was effectively blocked because of fighting over expiring PATRIOT Act provisions that were ultimately reauthorized as modified in the “USA Freedom Act” (P.L. 114-23). Therefore, until Congress reauthorizes these provisions, and I think it highly likely they will, it is possible technology-related legislation will be essentially used as leverage by proponents and opponents to see their preferred policy outcome enacted. Having said that, there are a number of technology-related bills that have been reported out of committee or come to the floor of one chamber or the other.
First, and possibly foremost, since this reauthorization has been enacted annually since the Kennedy Administration, is the FY 2020 National Defense Authorization Act (NDAA) (H.R. 2500/S. 1790). As cybersecurity has grown in prominence nationally and at the Pentagon, provisions dealing with this topic area have proliferated. Consequently, both bills are stuffed with statutory language ranging from supply chain to acquisition to offensive and defensive cyber operations, and other facets of cybersecurity. Likewise, the committee reports are also full of directives , mainly to the Pentagon, regarding actions, programs, briefings, and reports Congress would like the Department of Defense to undertake. Both NDAAS have passed their respective chambers and the Armed Services Committees have been working on reconciling the bills. Incidentally, the Senate attached its FY 2018, 2019, and 2020 Intelligence Authorization to S. 1790, which is also replete with cyber-related provisions for the Intelligence Community (i.e. the “Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020” (S. 1589)). On July 17, the House passed the “Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act (IAA) for Fiscal Years 2018, 2019, and 2020” (H.R. 3494) by a 397-31 vote. Therefore, it is possible that the NDAA also carries the intelligence reauthorization to enactment.
Speaking of annually enacted vehicles to effect technology policy, all twelve of the FY 2020 appropriations acts have yet to be enacted. A. number of the bills contain crucial language on cybersecurity and technology funding with a handful of bills being most important with respect to funding: the Homeland Security, Department of Defense, Financial Services and General Government, and the Commerce-Justice-Science appropriations acts. Despite having struck a deal on top-lines, it is not clear that Congress will enact of its appropriations bills before the current year ends on September 30. Therefore, we may be looking a continuing resolution into the fall, ideally followed by an omnibus or series of bills packaged together to fund FY 2020 programs. For example, the “FY 2020 Homeland Security Appropriations Act” would provide the Cybersecurity and Infrastructure Security Agency (CISA) $2.016 billion for FY 2020, a boost of $334 million above its FY 2019 funding level and $408 million above the Administration’s budget request.”
Election security will likely be an area around which there will be intense messaging but less legislative action. House Democrats made election security reform a policy priority in large part because of the Russian interference and hacking in the 2016 election. The House has sent substantially the same legislation in two bills (i.e. the “For The People Act of 2019” (H.R. 1), a package of election reforms, and the “Securing America’s Federal Elections (SAFE) Act of 2019” (H.R. 2722)) to the Senate where Senate Majority Leader Mitch McConnell (R-KY) has refused to consider them or Senate bills. Broadly speaking these bills would authorize funding and establish federal standards for states and localities in improving and upgrading their election systems from hacks and attacks. Incidentally, the $600 million in election grants these bills call for was provided in the “Financial Services and General Government Appropriations Act, 2020” (H.R. 3351) the House passed in June.
As noted, at the end of July, after the Senate Intelligence Committee released the first of the five volume report on the 2016 presidential election, Senators Richard Blumenthal (D-CT), Mark Warner (D-VA), Amy Klobuchar (D-MN), and others sought unanimous consent to proceed to a number of election security related bills but were blocked by Senate Republicans. The bills Senate Democrats tried to bring up for immediate consideration included:
- The “Duty To Report Act” (S. 1247)
- The “FIRE Act” (S. 2242)
- The “Senate Cybersecurity Protection Act” (S. 890)
- The “Securing America’s Federal Elections Act” (SAFE Act) (H.R. 2722)
The Senate did, however, pass the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent on July 17. S. 1321 would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills. However, despite action on S. 1321 and 1328, Senate Democrats seem intent on continuing to try and force consideration of election security legislation. It is unclear whether McConnell will relent.
Likewise, the House has also began legislation to punish those found guilty of interfering with U.S. elections. In July the House Foreign Affairs Committee met and marked up a number of bills, including: the “Safeguard our Elections and Combat Unlawful Interference in Our Democracy Act” (SECURE Our Democracy Act) (H.R. 3501) “would impose sanctions on anyone found to interfere illegally in an American election from overseas…[and] is designed to punish Russian interference in the 2016 election and also deter future election interference” according to the Committee’s press release.
Congress also has pending a number of bills focused on the federal government’s cybersecurity posture and capabilities. In January, the House passed the “Federal CIO Authorization Act of 2019” (H.R. 247) that would codify the positions of Chief Information Officer (CIO) and Chief Information Security Officer (CISO), make the positions presidential appointments, require the CIO to report directly to the Office of Management and Budget (OMB) Director, require each agency to submit reports on all IT expenditures to the CIO, and task the CIO with submitting a plan to Congress “for consolidating information technology across the Federal Government…and increasing the use of shared services, including any recommendations for legislative changes that may be necessary to effect the proposal.” H.R. 247 is identical to a bill, the “Federal CIO Authorization Act of 2018” (H.R. 6901), the House overwhelmingly passed in December, but the Senate never took up the bill.
On July 17, the House Homeland Security Committee held a markup and reported out four such cybersecurity bills:
- The “Securing the Homeland Security Supply Chain Act of 2019” (H.R. 3320) would “authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk” with authority similar to those granted to the Department of Defense in the FY 2019 National Defense Authorization Act to exclude contractors with unacceptable supply chain risks.
- The “DHS Acquisition Reform Act of 2019” (H.R. 3413) would “provide for certain acquisition authorities for the Under Secretary of Management of the Department of Homeland Security.”
- The Pipeline Security Act (H.R. 3699) would “codify the Transportation Security Administration’s responsibility relating to securing pipelines against cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines.”
- The “Cybersecurity Vulnerability Remediation Act” (H.R. 3710) would permit but not require the Cybersecurity and Infrastructure Security Agency (CISA) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”
In June, the House took up and passed the “DHS Cyber Incident Response Teams Act of 2019” (H.R. 1158), as amended, by voice vote. H.R. 1158 would require the Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC) to “maintain cyber hunt and incident response teams for the purpose of providing, as appropriate and upon request, assistance “to asset owners and operators in restoring services following a cyber incident” among other circumstances. NCCIC must “continually assess and evaluate the cyber incident response teams and their operations using robust metrics” and may “include cybersecurity specialists from the private sector on cyber hunt and incident response teams.” A related bill has been marked up and reported out of the Senate Homeland Security and Governmental Affairs Committee, the “DHS Cyber Hunt and Incident Response Teams Act of 2019” (S. 315), that would charge NCCIC and CISA with substantially the same missions. The Senate Homeland Security Committee marked up and reported out two other such bills:
- The “National Cybersecurity Preparedness Consortium Act of 2019” (S. 333) would allow the Department of Homeland Security to “work with a consortium to support efforts to address cybersecurity risks and incidents.” Consortiums are defined to be “a group primarily composed of nonprofit entities, including academic institutions, that develop, update, and deliver cybersecurity training in support of homeland security.”
- The “Federal Rotational Cyber Workforce Program Act of 2019” (S. 406), which would establish a program under which cybersecurity employees would rotate at federal agencies.
In July, the Senate Homeland Security Committee marked up and reported out the “State and Local Government Cybersecurity Act of 2019” (S. 1846) that would provide the Department of Homeland Security (DHS) the authority “[t]o make grants to and enter into cooperative agreements or contracts with States, local governments, and other non-Federal entities” and direct the National Cybersecurity and Communications Integration Center (NCCIC) to work with “with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center” on addressing a variety of cybersecurity-related responsibilities.
Congress also has proposed measures targeted at small businesses. On July 15, the House took and passed a pair of cybersecurity bills from the suspension calendar:
- The “SBA Cyber Awareness Act” (H.R. 2331) would “require the Small Business Administrator (SBA) to issue annual reports assessing its IT and cybersecurity infrastructure and notify Congress and affected parties of cyber incidents when they occur.”
- The “Small Business Development Center Cyber Training Act of 2019” (H.R. 1649) “help Small Business Development Centers (SBDCs) become better trained to assist small businesses with their cyber security and cyber strategy needs…[and] would establish a cyber counseling certification program in lead SBDCs to better assist small businesses with planning and implementing cybersecurity measures to defend against cyber attacks.”
Congress has also initiated legislation to better regulate the energy sector’s cybersecurity. On July 17, the House Energy and Commerce Committee marked up a quartet of energy sector cybersecurity bills:
- The “Enhancing Grid Security through Public-Private Partnerships Act” (H.R. 359) “directs the Secretary of Energy, in consultation with States, other federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cyber security of electric utilities.
- The “Cyber Sense Act of 2019” (H.R. 360) would establish “voluntary program [that] would identify cyber-secure products that could be used in the bulk- power system.”
- The “Energy Emergency Leadership Act” (H.R. 362) would “create a new DOE Assistant Secretary position with jurisdiction over all energy emergency and security functions related to energy supply, infrastructure, and cybersecurity.”
- The “Pipeline and LNG Facility Cybersecurity Preparedness Act” (H.R. 370) “would establish a program at DOE, in coordination with other Federal agencies, States, and the energy sector, to create policies and procedures to improve the physical and cyber security and resiliency of natural gas transmission and distribution pipelines, hazardous liquid pipelines, and liquefied natural gas (LNG) facilities.”
There are two bills regarding the Internet of Things that have been reported out of committee. On July 10, the Senate Commerce, Science, and Transportation Committee held a markup and reported out the “Developing Innovation and Growing the Internet of Things (DIGIT) Act” (S. 1611) sponsored by Senators Deb Fischer (R-NE), Cory Gardner (R-CO), Brian Schatz (D-HI), and Cory Booker (D-NJ). In her press release, Fischer explained the bill would “would convene a working group of federal entities and experts from the private and academic sectors tasked with providing recommendations to Congress on how to facilitate the growth of connected Internet of Things (IoT) technologies.” She added that “[t]he group’s recommendations would focus on how to plan for, and encourage, the development and deployment of the IoT in the U.S…[and] directs the Federal Communications Commission (FCC) to complete a report assessing spectrum needs required to support the Internet of Things.” S. 1611 is substantially similar to legislation (S. 88) the Senate passed unanimously in the last Congress the House never took up. It is not clear whether the same resistance exists in the House, but unlike the last Congress a companion DIGIT Act has not yet been introduced in the House.
Earlier this year, two versions of the same IoT bill were marked up and reported out of committee. The Senate Homeland Security and Governmental Affairs Committee marked up and reported out the “Internet of Things Cybersecurity Improvement Act of 2019” (S. 734) a week after the House Oversight and Reform Committee acted on the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668) after adopting an amendment in the nature of a substitute that narrowed the scope of the bill. In general, these bills seek to leverage the federal government’s ability to set standards through acquisition processes to ideally drive the development of more secure IoT across the U.S. The stakeholders are responding to the security risks presented by weak or nonexistent security for IoT as seen in a number of major malware attacks. The legislation would require the NIST, the OMB, and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to work together to institute standards for IoT owned or controlled by most federal agencies. These standards would need to focus on secure development, identity management, patching, and configuration management and would be made part of Federal Acquisition Regulations (FAR), making them part of the federal government’s approach to buying and utilizing IoT. Thereafter, federal agencies and contractors would need to use and buy IoT that meets the new security standards.
Finally, House Democrats have made rolling back the Federal Communications Commission’s (FCC) repeal of the Obama Administration’s Open Internet Order (aka net neutrality) a priority. On April 3, the House Energy and Commerce Committee marked up and reported out the “Save the Internet Act of 2019” (H.R. 1644) that would undo the Federal Communications Commission’s (FCC) repeal of the Obama Administration’s 2015 net neutrality order and reclassify internet service providers (ISPs) under Title II of the Federal Communications Act as common carriers. The bill was subsequently passed by the House by a 232-190 vote, but the Senate has not yet taken up the bill and likely will not.