House Appropriations Committee Passes Bills With Funding For and Directives To Technology Agencies

Four bills full of technology funding and programmatic direction are reported to the House.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The House Appropriations Committee finished work on four of the FY 2021 appropriations bills that fund a substantial portion of the United States’ (US) government’s technology programs and activities. Often appropriations bills are the primary vehicle by which Congress changes executive branch policy through the use of its funding powers, and so the bills and their committee reports contain a range of directives and instructions year-to-year. The House is set to finish committee consideration of all 12 bills this month, but there is no indication as to when the Senate Appropriations Committee will take up its bills. Given the late start on appropriations, it is all but certain the federal government will be operating under a stopgap funding bill for some portion of the first quarter of the next fiscal year. The outcome of the election could result in a further postponing of full appropriations and delaying of passage of technology funding and program changes.

FY 2021 Homeland Security Appropriations Act

In advance of the 15 July markup, the House Appropriations Committee made available its Committee Report to accompany the FY 2021 Homeland Security Appropriations Act.

The package includes $2.6 million for a Joint Cybersecurity Coordination Group (JCCG) inside DHS “serve as a coordinating entity that will help the Department identify strategic priorities and synchronize cyber-related activities across the operational components.” This new entity comes about because the Trump Administration requested its creation as part of its FY 2021 budget request. The Committee expressed disappointment with “the lack of quality and detail provided in CISA’s fiscal year 2021 budget justification documents, to include several errors and unjustified adjustments that appear to be attributable to CISA’s premature proposal for a new Program, Project, or Activity (PPA) structure and raise questions about whether the budget could be executed as requested.” Consequently, the Committee directed that CISA “submit the fiscal year 2022 budget request at the same level of PPA detail as provided in the table at the end of this report with no further adjustments to the PPA structure.”

Among other programmatic and funding highlights, the Committee

  • “[E]ncourage[d] CISA to continue to use commercial, human-led threat behavioral analysis and technology, and to employ private sector, industry-specific, threat intelligence and best practices to better characterize potential consequences to critical infrastructure sectors during a systemic cyber event.”
  • Urged “CISA and the Election Infrastructure Information Sharing and Analysis Center (EI–ISAC) to expand outreach to the most vulnerable jurisdictions” with respect to election security assistance.
  • Directed “CISA to continue providing the semiannual briefing on the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM)”
  • Pointed to $5.8 million to set up a ‘‘central Federal information security incident center,’ a requirement mandated by the Federal Information Security Modernization Act (FISMA) (P.L. 113-283) and $9.3 million “to establish a formal program office to coordinate supply chain risk management efforts for federal civilian agencies; act as the executive agent for the Federal Acquisition Security Council (FASC), as authorized by the SECURE Technology Act, 2018 (Public Law 115– 390); and fund various supply chain related efforts and services.”
  • Emphasized its increase of $6 million as compared to FY 2020 “to grow CISA’s threat hunting capabilities” “[i]n the face of cyber threats from nation-state adversaries such as Russia, China, Iran, and North Korea.”
  • [P]rovide[d] an increase of $11,568,000 above the request to establish a Joint Cyber Center (JCC) for National Cyber Defense to bring together federal and State, Local, Tribal, and Territorial (SLTT) governments, industry, and international partners to strategically and operationally counter nation-state cyber threats.”
  • Bestowed “an increase of $10,022,000 above the request for the underlying infrastructure that enables better identification, analysis, and publication of known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.”
  • Noted “[t]hrough the Shared Cybersecurity Services Office (SCSO), CISA serves as the Quality Services Management Office for federal cybersecurity” and explained “[t]o help improve efforts to make strategic cybersecurity services available to federal agencies, the Committee includes $5,064,000 above the request to sustain prior year investments and an additional $5,000,000 to continue to expand the office.”
  • Expressed its concern “about cyber vulnerabilities within supply chains, which pose unacceptable risks to the nation’s physical and cyber infrastructure and, therefore, to national security” and provided “an increase of $18,005,000 above the request to continue the development of capabilities to address these risks through the ICT Supply Chain Risk Management Task Force and other stakeholders, such as the FASC.”

FY 2021 Financial Services and General Government Appropriations Act

The FY 2021 Financial Services and General Government Appropriations Act has a provision that would bar either the Federal Trade Commission (FTC) or Federal Communications Commission (FCC) from taking certain actions related to Executive Order 13925, “Preventing Online Censorship” issued in May by the White House after Twitter fact checked a pair of President Donald Trump’s Tweets that contained untruthful claims about voting by mail. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

Under the Executive Order, the National Telecommunications and Information Administration (NTIA) is to file a petition for rulemaking with the FCC to clarify the interplay between clauses of 47 USC 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO. The FTC was directed consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

In the Committee Report for the FY 2021 Financial Services and General Government Appropriations Act, the House Appropriations Committee explained it provided $341 million for the FTC, “a $10,000,000 increase over fiscal year 2020… will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure their customer data or that engage in other problematic trade practices.”

The Committee detailed the following program and funding provisions related to the FTC, including combatting fraudulent calls to seniors, robocalls, fraudulent health care calls, and the following:

  • Cryptocurrency.— The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers.”
  • Consumer Repair Rights.—The Committee is aware of the FTC’s ongoing review of how manufacturers—in particular mobile phone and car manufacturers—may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee, and to publish online, a report on anticompetitive practices related to repair markets. The report shall provide recommendations on how to best address these problems.
  • Antitrust Actions.—The Committee directs the GAO to study FTC and DOJ antitrust actions over the past 25 years. The study shall examine the following questions: How many instances have FTC and DOJ been on opposing sides of the same matter? In how many of these instances was the split created by (a) the FTC intervening in DOJ’s case; and (b) the DOJ intervening in FTC’s case? In these instances, how (if at all) did the split affect the final outcome (e.g., did the judicial opinion cite the split or explain how it affected the court’s decision)? In how many instances has an FTC action appeared before the Supreme Court? Of these instances, in how many cases did the FTC represent itself (rather than be represented by the Solicitor General)? In how many instances has the DOJ or FTC reneged on a clearance agreement with the other agency? In how many of these instances was the disruption created by (a) the FTC’s decision to renege on the agreement; and (b) the DOJ’s decision to renege on the agreement? How many amicus briefs did each agency file in each year? How many of the total amicus briefs filed by DOJ were done so at the invitation of the court? How many of the total amicus briefs filed by FTC were done so at the invitation of the court?

With respect to the FCC, the package provides $376 million and requires a host of programmatic responses, including:

  • Broadband Maps.—The Committee provides significant funding for upfront costs associated with implementation of the Broadband DATA Act. The Committee anticipates funding related to the Broadband DATA Act will decline considerably in future years and expects the FCC to repurpose a significant amount of staff currently working on economic, wireline, and wireless issues to focus on broadband mapping.
  • Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
  • Rural Digital Opportunity Fund.—The Committee appreciates the significant investment the FCC is planning to make to deploy broadband services to unserved areas. The Committee recognizes the need for government programs to minimize instances in which two different providers receive support from two different programs to serve the same location. However, the Committee is concerned that current program rules may have the unintended consequence of discouraging other funding sources from participating in broadband deployment, particularly State-based programs. The Committee directs the FCC to adjust program rules to ensure applicants, and the States in which those applicants would deploy broadband, are not put at a disadvantage when applying for the Rural Digital Opportunity Fund based on the State’s proactive, independent investment in broadband.
  • Lifeline Service.—The Committee is concerned that changes to the Lifeline minimum service standards and support levels will adversely impact low-income Americans, including many suffering from economic hardships due to the coronavirus. The Committee directs the FCC to pause implementation of any changes to the currently applicable minimum service standards for Lifeline-supported mobile broadband service and any changes in the current levels of Lifeline support for voice services until the FCC has completed the State of the Lifeline Marketplace Report required by the 2016 Lifeline Order…
  • Mid-Band Spectrum.—The Committee believes that Fifth-Generation (5G) mobile technology is critical to U.S. national and economic security. A key component of the U.S. strategy for 5G is ensuring that U.S. wireless providers have enough mid-band spectrum (frequencies between 3 GHz and 24 GHz), which provides fast data connections while also traveling longer distances. The Committee is concerned that the U.S. is falling behind other countries in the allocation of such spectrum. The Committee urges the Administration and the FCC to work expeditiously to identify and make available more mid-band spectrum for 5G so that the U.S. does not fall further in the race to deploy 5G networks and services.
  • 5G Supply Chain.—The Committee understands the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, competition, and network security via interoperable technologies and open standard-based interfaces.

The Committee had a range of mandates for the Office of Management and Budget (OMB):

  • Federal and Critical Infrastructure Cybersecurity.—The Committee is aware that Federal agencies and the nation’s critical infrastructure face unique cybersecurity threats. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline the steps each agency needs to take to manage such risks. OMB shall prioritize working with the applicable agency heads to address remaining gaps and inconsistencies.
  • Federal Information Technology Workforce.—OMB is directed to consult with the Office of Personnel Management and the General Services Administration and report to the Committee, no later than September 30, 2021, on gaps in Federal information technology workforce skills, disciplines, and experience required to enable the Federal government to modernize its ability to use technology and develop effective citizen-facing digital services to carry out its mission.

The Committee noted its additional funding to the Election Assistance Commission (EAC) for Election Security Grants of $500 million:

  • [T]he Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P.L. 116–136) included $400,000,000 for grants to States to prevent, prepare for, and respond to coronavirus. The Committee is gravely concerned by persistent threats from Russia and other foreign actors attempting to influence the U.S. democratic process, and vulnerabilities that continue to exist throughout the Nation’s election system.
  • Since fiscal year 2018, Congress has provided $805,000,000 in grants to States to improve the security of elections for Federal office.
  • However, that funding has been inconsistent, unpredictable, and insufficient to meet the vast need across all the States and territories.
  • Congress must provide a consistent, steady source of Federal funds to support State and local election officials on the frontlines of protecting U.S. elections. The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted.
  • Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced. Funds shall be available to States for the following activities to improve the security of elections for Federal office:
    • implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally;
    • maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems;
    • facilitating cyber and risk mitigation training for State and local election officials;
    • implementing established cybersecurity best practices for election systems; and other priority activities and
    • investments identified by the EAC, in consultation with DHS, to improve election security.
  • The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
  • The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in kind to local government entities responsible for the administration of elections for Federal office.

Regarding the General Services Administration (GSA), the Committee directed the following:

  • Interagency Task Force on Health and Human Services Information Technology (IT).— The Committee urges the Chief Information Office and Chief Technology Officer (CTO) of HHS, in collaboration with the White House CTO and U.S. Department of Agriculture (USDA), as well as the Office of the National Coordinator for Health Information Technology (ONC) within HHS, 18F within the GSA, and the Cybersecurity and Infrastructure security Agency (CISA) within the U.S. Department of Homeland Security, to establish an interagency task force that will examine existing IT infrastructure in Federal health human service programs nationwide and identify the limitations to successfully integrating and modernizing health and human services IT, and the network security necessary for health and human services IT interoperability. The task force shall submit to the Committee within 180 days of enactment on this Act a report on its progress and on recommendations for further Congressional action, which should include estimated costs for agencies to make progress on interoperability initiatives.
  • Category Management.—The Committee is interested in understanding the effects of GSA’s category management policy on contracts with small businesses. Category management refers to the business practice of buying common goods and services as an enterprise to eliminate redundancies, increase efficiency, and deliver more value and savings from the Federal government’s acquisition programs. Within 180 days of the enactment of this Act, the Committee directs GSA, in cooperation with SBA, to submit a report to the Committee on the number of contracts that could have been awarded under sections 8(a), 8(m), 15(a), 15(j), 31, or 36 of the Small Business Act, but were exempted by category management since its implementation.

The Committee made the following recommendations generally:

  • Cyberspace Solarium Commission Recommendations.—The Committee recognizes and supports the priorities and recommendations laid out in the Cyberspace Solarium Commission’s report and urges Federal departments and agencies to align cybersecurity budgetary priorities with those laid out by the Commission. In particular, the Committee calls attention to recommendation 3.2, Develop and Maintain Continuity of the Economy Planning; recommendation 4.6.3, Strengthen the Capacity of the Committee on Foreign Investment in the United States, particularly with respect to the need to train Federal bankruptcy judges; recommendation 3.4, Improve and Enhance the Funding of the Election Assistance Commission; and recommendation 3.1, Strengthen Sector-specific Agencies’ Ability to Manage Critical Infrastructure Risk, particularly with respect to the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
  • Zero Trust Model.—The Committee is aware that the most effective cybersecurity systems are based on the zero trust model, which is designed not only to prevent cyber intrusions but to prevent cyberthieves from accessing or removing protected information. To ensure that Federal agencies achieve the highest level of security against cyberattacks in the shortest amount of time, the Committee encourages all agencies to acquire and deploy zero trust cybersecurity software that is compatible with all existing operating systems and hardware platforms used by Federal agencies. The Committee also encourages Federal agencies to acquire and utilize software compatible with all existing operating systems and hardware platforms that will enable agencies to measure or quantify their risk of a cybersecurity attack in the months ahead and the types of cyberattack the agency is most likely to experience. Upon learning the risk and type of cyberattack the agency is most likely to face, the agency shall immediately take remedial action to minimize such risk. Agencies shall include information in their fiscal year 2022 Congressional Justification to Congress on their progress in complying with this directive.

FY 2021 Department of Defense Appropriations Act

On 14 July, the House Appropriations Committee marked up and reported out the “FY 2021 Department of Defense Appropriations Act,” which would provide $695 billion for the Department of Defense (DOD), “an increase of $1,294,992,000 above the fiscal year 2020 enacted level and a decrease of $3,695,880,000 below the budget request.”

The Committee Report contained these technology-related provisions:

  • ZERO TRUST ARCHITECTURE. The Committee encourages the Secretary of Defense to implement a Zero Trust Architecture to increase its cybersecurity posture and enhance the Department’s ability to protect its systems and data.
  • DISTRIBUTED LEDGER TECHNOLOGY RESEARCH AND DEVELOPMENT. The Committee is aware that distributed ledger technologies, such as blockchain, may have potentially useful applications for the Department of Defense, which include but are not limited to distributed computing, cybersecurity, logistics, and auditing. Therefore, the Committee encourages the Under Secretary of Defense (Research and Engineering) to consider research and development to explore the use of distributed ledger technologies for defense applications.
  • ARTIFICIAL INTELLIGENCE PARTNERSHIPS. The Committee is aware of the United States-Singapore partnership focusing on applying artificial intelligence in support of humanitarian assistance and disaster relief operations, which will help first responders better serve those in disaster zones. The Committee encourages the Secretary of Defense to pursue similar partnerships with additional partners in different regions, including the Middle East.
  • CYBER EDUCATION COLLABORATIVES. The Committee remains concerned by widespread shortages in cybersecurity talent across both the public and private sector. In accordance with the recommendations of the Cyberspace Solarium Commission, the Committee encourages the Under Secretary of Defense (Research and Engineering) to direct cyber-oriented units to collaborate with local colleges and universities on research, fellowships, internships, and cooperative work experiences to expand cyber-oriented education opportunities and grow the cybersecurity workforce. The Committee also appreciates that veterans and transitioning servicemembers could serve as a valuable recruiting pool to fill gaps in the cybersecurity workforce. Accordingly, the Committee encourages the Under Secretary to prioritize collaboration with colleges and universities near military installations as well as the veteran population.
  • 5G TELECOMMUNICATIONS TECHNOLOGY. The Committee is concerned about reports that foreign manufacturers are significantly ahead of United States companies in the development and deployment of 5G telecommunications technologies, which poses a national security risk to the United States and its allies. Without a robust domestic 5G supply chain, the United States will be vulnerable to 5G systems that facilitate cyber intrusion from hostile actors. In order to secure a reliable 5G system and a domestic supply chain that meets the national security needs of the United States and its allies, the Committee encourages the Secretary of Defense to accelerate engagement with domestic industry partners that are developing 5G systems. Additionally, the Committee is aware of the significant investments being made in 5G efforts but is concerned with the level of detail provided for congressional oversight. The Committee directs the Under Secretary of Defense (Research and Engineering) to conduct quarterly execution briefings with the House and Senate Appropriations Committees beginning not later than 90 days after the enactment of this Act.
  • MILITARY INFORMATION SUPPORT OPERATIONS. Over the past decade, the bulk of activities under Military Information Support Operations (MISO) focused on countering violent extremist organizations (VEO). While VEOs remain an ongoing threat and require continued vigilance, peer and near-peer adversaries like China and Russia are using social media and other vectors to weaken domestic and international institutions and undermine United States interests. This new information environment and the difficulty of discriminating between real and fake information heightens the importance of enhancing and coordinating United States government information-related capabilities as a tool of diplomatic and military strategy.
  • The Committee recognizes the efforts and accomplishments of the United States Special Operations Command and other agencies within the executive branch to operate in the digital domain. However, it is difficult to view individual agency activities as a coordinated whole of government effort. Over the past several years, the classified annex accompanying annual Department of Defense Appropriations Acts included direction focusing on the individual activities of geographic combatant commands. However, information messaging strategies to counter Chinese and Russian malign influences cuts across these geographic boundaries and requires coordination between multiple government agencies using different authorities.
  • Therefore, in order to better understand how MISO activities support a whole of government messaging strategy, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit a report for MISO activities for the individual geographic combatant commands justified by the main pillars of the National Defense Strategy to the House and Senate Appropriations Committees not later than 15 days after submission of the fiscal year 2022 budget request and annually thereafter. The report shall include spend plans identifying the requested and enacted funding levels for both voice and internet activities and how those activities are coordinated with the Intelligence Community and the Department of State. The enacted levels will serve as the baseline for reprogramming in accordance with section 8007 of this Act. Furthermore, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit to the congressional defense committees, not later than 90 days after the end of the fiscal year, an annual report that provides details on each combatant commands’ MISO activities by activity name, description, goal or objective, target audience, dissemination means, executed funds, and assessments of their effectiveness. Additional details for the report are included in the classified annex accompanying this Act.

FY 2021 Commerce, Justice, Science Appropriations Act

Also on 14 July, the “FY 2021 Commerce, Justice, Science Appropriations Act” was also marked up and reported out and its Committee Report contains these provisions:

  • Cybersecurity Threats.—The Committee remains concerned that as the Census Bureau looks to modernize data collection methods, the Census Bureau could potentially be exploited by nefarious actors who seek to undermine the integrity of census data, which is vital to democratic institutions, and gain access to sensitive information otherwise protected by law. These threats include both hacking into the Census Bureau IT infrastructure and efforts to use supercomputing to unmask the privacy of census respondents. The Committee directs the Census Bureau to prioritize cyber protections and high standards of data differential privacy, while also maintaining the accuracy of the data, and expects the Census Bureau to update the Committee regularly on these efforts.
  • Cybersecurity and Privacy.—The proliferation of data generation, storage, and usage associated with the digital economy is making it increasingly important to protect that data with effective cryptography and privacy standards. The Committee is concerned that individual, corporate, and public-sector data privacy is continuously at risk from attacks by individual actors, criminal organization, and nation-states. The Committee urges NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies.
  • National Initiative for Cybersecurity Education.—The Committee notes with concern the shortage of cybersecurity professionals across the government and private sector, from entry level applicants to experienced professionals. The Committee therefore supports the National Initiative for Cybersecurity Education (NICE) and directs NIST to provide resources commensurate with the prior fiscal year for this effort.
  • Cybersecurity Conformity Assessment Programs.—The Committee instructs NIST, in collaboration with other relevant organizations, to report to the Committee no later than 270 days after the enactment of this Act on challenges and approaches to establishing and managing voluntary cybersecurity conformity assessment programs for information and communication technologies including federal cloud technologies.
  • Cybersecurity Training.—Within the increase to Manufacturing Extension Partnership (MEP), the Committee directs NIST to maintain the core services of the MEP and encourages NIST to utilize existing expertise within its Information Technology Laboratory to increase cybersecurity technical training to small manufacturers to strengthen their cybersecurity capabilities given the troubling threats from state and non-state actors and other emerging threats.
  • Cybersecurity threat information sharing.—The Committee supports sharing by DOJ of cybersecurity threat warnings and intelligence with private companies who may benefit from actionable information to deter, prevent, or mitigate threats. The Committee asks DOJ to provide a briefing on this topic not later than 90 days after enactment of this Act.
  • Chinese-government affiliated companies.—The Committee is concerned with companies operating within the United States that are known to have substantial ties to the Chinese government, including full or partial ownership by the Chinese government, and that are required by Chinese law to assist in espionage activities, including collection of personally identifiable information of American citizens. Such companies may pose cybersecurity risks, such as vulnerabilities in their equipment, and some are the subject of ongoing Congressional and Executive Branch investigations involving their business practices. The Committee directs DOJ to enforce applicable laws and prevent the operation of known foreign entities who participate in the theft of American intellectual property, the harvesting of personal identifiable information on behalf of a foreign government, and the unlawful surveillance of American citizens by adversarial state-owned enterprises.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Congressional Cybersecurity Commission Releases Annex To Final Report

A Congressional cyber panel is adding four recommendations to its comprehensive March report.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 2 June, the Cyberspace Solarium Commission (CSC) released an annex to its final report. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In mid-March, the CSC released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has still not yet made available. However, Members of Congress who served on the CSC are working with the Armed Services Committees to get some of this language added to the FY 2021 National Defense Authorization Act (NDAA). See this issue of the Technology Policy Update for more detail on the CSC’s final report.

Per its grant of statutory authority, the CSC is set to terminate 120 days after the release of its final report, which will be next month. Nonetheless, the CSC has been holding a series of webinars to elucidate or explain various components of the final report, and the Commission began to consider cybersecurity through the lens of the current pandemic for parallels and practical effects. Consequently, the CSC added four new recommendations and renewed its call that recommendations in its final report related to the pandemic – in the view of the Commission – receive renewed attention and ideally action by Congress and the Executive Branch.

The CSC again called for the types of resources and reforms most policymakers have either not shown an appetite for or believe are a few bridges too far. Even though the CSC stated its intention to a “9/11 Commission without the 9/11 event,” it is unlikely such sweeping policy changes will be made in the absence of a crisis or event that fundamentally changes this status quo. Nevertheless, the CSC’s new recommendations are targeted and modest, one of which call for funneling more funds through an existing grant program to bolster private sector/non-profit efforts and another for a government agency to exercise previously granted authority. What’s more, the CSC could add the new recommendations to those shared in the form of legislative language with the Armed Services Committees in the hopes they are included in this year’s NDAA. Given that CSC co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) serve on their chambers’ Armed Services Committees as do the other two Members of Congress on the CSC, Senator Ben Sasse (R-NE) and Representative James Langevin (D-RI), the chances of some of the recommendations making it into statute are higher than they may be otherwise.

In its “White Paper #1: Cybersecurity Lessons from the Pandemic,” the CSC asserted:

The COVID-19 pandemic illustrates the challenge of ensuring resilience and continuity in a connected world. Many of the effects of this new breed of crisis can be significantly ameliorated through advance preparations that yield resilience, coherence, and focus as it spreads rapidly through the entire system, stressing everything from emergency services and supply chains to basic human needs and mental health. e pandemic produces cascading effects and high levels of uncertainty. It has undermined normal policymaking processes and, in the absence of the requisite preparedness, has forced decision makers to craft hasty and ad hoc emergency responses. Unless a new approach is devised, crises like COVID-19 will continue to challenge the modern American way of life each time they emerge. This annex collects observations from the pandemic as they relate to the security of cyberspace, in terms of both the cybersecurity challenges it creates and what it can teach the United States about how to prepare for a major cyber disruption. These insights and the accompanying recommendations, some of which are new and some of which appear in the original March 2020 report, are now more urgent than ever.

The CSC conceded that “[t]he lessons the country is learning from the ongoing pandemic are not perfectly analogous to a significant cyberattack, but they offer many illuminating parallels.

  • First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.
  • Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.
  • Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.
  • Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.

The CSC continued:

The COVID-19 pandemic is a call to action to ensure that the United States is better prepared to withstand shocks and crises of all varieties, especially those like cyber events that we can reasonably predict will occur, even if we do not know when. We, as a nation, must internalize the lessons learned from this emergency and move forward to strengthen U.S. national preparedness.  This means building structures in government now to ensure strategic leadership and coordination through a cyber crisis. It means driving down the vulnerability of the nation’s networks and technologies. And finally, it means investing in rigorously building greater resiliency in the government, in critical infrastructure, and in our citizenry. In the past several years, experts have sounded the alarm, ranking cyberattacks as one of the most likely causes of a crisis. As the COVID-19 crisis has unfolded, the United States has experienced a wake-up call, prompting a national conversation about disaster prevention, crisis preparedness, and incident response. While COVID-19 is the root cause of today’s crisis, a significant cyberattack could be the cause of the next. If that proves to be the case, history will surely note that the time to prepare was now.

The CSC offered these four new recommendations:

  • Pass an Internet of Things Security Law: With a significant portion of the workforce working from home during the COVID-19 disruption, household internet of things (IoT) devices, particularly household routers, have become vulnerable but important pieces of our national cyber ecosystem and our adversary’s attack surface. To ensure that the manufacturers of IoT devices build basic security measures into the products they sell, Congress should pass an IoT security law. The law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.” But it should be only modestly prescriptive, relying more heavily on outcome-based standards, because security standards change with technology over time. Nonetheless, the law should stress enduring standards both for authentication, such as requiring unique default passwords that a user must change to their own authentication mechanism upon first use, and for patching, such as ensuring that a device is capable of receiving a remote update. Congress should consider explicitly tasking the Federal Trade Commission with enforcement of the law on the basis of existing authorities under Section 5 of the Federal Trade Commission Act.
    • In a footnote, the CSC asserted “[t]he proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2019 provides a viable model for a federal law that mandates that connected devices procured by the federal government have reasonable security measures in place, but should be expanded to cover all devices sold or offered for sale in the United States.
    • The initial draft of the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734) was a revised, unified version of two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283). However, during the process of consideration in both chambers, differences emerged that as of yet have not been reconciled. However, it is possible that a final version of this bill gets folded into the FY 2021 NDAA or is passed as standalone legislation in the waning days of this Congress.
    • However, the FTC already uses its Section 5 authorities to bring actions against IoT manufacturers. For example, last month, the agency announced a settlement with Tapplock regarding “allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”
  • Support Nonprofits that Assist Law Enforcement’s Cybercrime and Victim Support Efforts: Cyber-specific nonprofit organizations regularly collaborate with law enforcement in writing cybercrime reports, carrying out enforcement operations, and providing victim support services. As the COVID-19 pandemic has proven, trusted nonprofit organizations serve as critical law enforcement partners that can quickly mobilize to help identify and dismantle major online schemes. Such nonprofits have the expertise and flexibility to help and reinforce law enforcement efforts to disrupt cybercrime and assist victims. However, they often face financial challenges. Therefore, the Commission recommends that Congress provide grants through the Department of Justice’s Office of Justice Programs to help fund these essential efforts.
    • The portion of the Department of Justice’s Office of Justice Programs that makes grants was provided $1.892 billion in FY 2020, with large chunks being earmarked for state and local law enforcement agencies like the Edward Byrne Memorial Justice Assistance Grant program. Therefore, there would likely need to be additional funding provided for this program if there will be additional eligible recipients and additional purposes.
  • Establish the Social Media Data and Threat Analysis Center: Because major social media platforms are owned by private companies, developing a robust public-private partnership is essential to effectively combat disinformation. To this end, the Commission supports the provision in the FY2020 National Defense Authorization Act that authorizes the Office of the Director of National Intelligence to establish and fund a Social Media Data and Threat Analysis Center (DTAC), which would take the form of an independent, nonprofit organization intended to encourage public-private cooperation to detect and counter foreign influence operations against the United States. The center would serve as a public-private facilitator, developing information-sharing procedures and establishing—jointly with social media—the threat indicators that the center will be able to access and analyze. In addition, the DTAC would be tasked with informing the public about the criteria and standards for analyzing, investigating, and determining threats from malign influence operations. Finally, in order to strengthen a collective understanding of the threats, the center would host a searchable archive of aggregated information related to foreign influence and disinformation operations.
    • This is, obviously, not really a new recommendation, but rather a call for already granted authority to be used. The Director of National Intelligence was provided discretionary authority to establish the DTAC in P.L. 116-92 and has not chosen to do so yet. There are a number of existing entities that may qualify as the Atlantic Council’s Digital Forensics Research Lab or the Alliance for Securing Democracy. However, the issue may be resources in that the DNI was not provided any additional funding to stand up the DTAC.
  • Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns: Congress should fund the Department of Justice to provide grants, in consultation with the Department of Homeland Security and the National Science Foundation, to nonprofit centers seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns in context to avoid amplifying them. Such malign foreign influence campaigns can include covert foreign state and non-state propaganda, disinformation, or other inauthentic activity across online platforms, social networks, or other communities. These centers should analyze and monitor foreign influence operations, identify trends, put those trends into context, and create a robust, credible source of information for the American public. To ensure success, these centers should be well-resourced and coordinated with ongoing government efforts and international partners’ efforts.
    • It is not clear whether this program would be conducted through an existing DOJ program or a new one would be created. As with the DOJ’s Office of Justice Programs, funding may be an issue, and while the Armed Services Committees may be able to fold this into the FY 2021 (notwithstanding jurisdictional issues considering the DOJ is part of the Judiciary Committees’ purviews), but the Appropriations Committees would ultimately decide whether this would be funded.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Fall Preview For Technology Legislation

With Congress having returned from the August recess, bright-eyed and bushy-tailed, a host of bills are awaiting these eager lawmakers. However, I will focus only on those bills that have been marked up and reported out of committee or have been passed by one chamber as these bills may be the most likely to be enacted. Of course, there are other issue areas Congress may address with legislation this fall, but as yet, legislation has neither been introduced nor marked up (e.g. privacy, data security, and the PATRIOT Act reauthorization.)

And, it should be noted that past could be prologue with respect to a PATRIOT Act reauthorization. As you might recall, what became the “Cybersecurity Act of 2015” (P.L. 114-113) was effectively blocked because of fighting over expiring PATRIOT Act provisions that were ultimately reauthorized as modified in the “USA Freedom Act” (P.L. 114-23). Therefore, until Congress reauthorizes these provisions, and I think it highly likely they will, it is possible technology-related legislation will be essentially used as leverage by proponents and opponents to see their preferred policy outcome enacted. Having said that, there are a number of technology-related bills that have been reported out of committee or come to the floor of one chamber or the other.

First, and possibly foremost, since this reauthorization has been enacted annually since the Kennedy Administration, is the FY 2020 National Defense Authorization Act (NDAA) (H.R. 2500/S. 1790). As cybersecurity has grown in prominence nationally and at the Pentagon, provisions dealing with this topic area have proliferated. Consequently, both bills are stuffed with statutory language ranging from supply chain to acquisition to offensive and defensive cyber operations, and other facets of cybersecurity. Likewise, the committee reports are also full of directives , mainly to the Pentagon, regarding actions, programs, briefings, and reports Congress would like the Department of Defense to undertake. Both NDAAS have passed their respective chambers and the Armed Services Committees have been working on reconciling the bills. Incidentally, the Senate attached its FY 2018, 2019, and 2020 Intelligence Authorization to S. 1790, which is also replete with cyber-related provisions for the Intelligence Community (i.e. the “Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020” (S. 1589)). On July 17, the House passed the “Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act (IAA) for Fiscal Years 2018, 2019, and 2020” (H.R. 3494) by a 397-31 vote. Therefore, it is possible that the NDAA also carries the intelligence reauthorization to enactment.

Speaking of annually enacted vehicles to effect technology policy, all twelve of the FY 2020 appropriations acts have yet to be enacted. A. number of the bills contain crucial language on cybersecurity and technology funding with a handful of bills being most important with respect to funding: the Homeland Security, Department of Defense, Financial Services and General Government, and the Commerce-Justice-Science appropriations acts. Despite having struck a deal on top-lines, it is not clear that Congress will enact of its appropriations bills before the current year ends on September 30. Therefore, we may be looking a continuing resolution into the fall, ideally followed by an omnibus or series of bills packaged together to fund FY 2020 programs. For example, the “FY 2020 Homeland Security Appropriations Act” would provide the Cybersecurity  and  Infrastructure  Security  Agency  (CISA) $2.016 billion for FY 2020, a boost of $334 million above its FY 2019 funding level and $408 million above the Administration’s budget request.”

Election security will likely be an area around which there will be intense messaging but less legislative action. House Democrats made election security reform a policy priority in large part because of the Russian interference and hacking in the 2016 election. The House has sent substantially the same legislation in two bills (i.e. the “For The People Act of 2019” (H.R. 1), a package of election reforms, and  the “Securing America’s Federal Elections (SAFE) Act of 2019” (H.R. 2722)) to the Senate where Senate Majority Leader Mitch McConnell (R-KY) has refused to consider them or Senate bills. Broadly speaking these bills would authorize funding and establish federal standards for states and localities in improving and upgrading their election systems from hacks and attacks. Incidentally, the $600 million in election grants these bills call for was provided in the “Financial Services and General Government Appropriations Act, 2020” (H.R. 3351) the House passed in June.

As noted, at the end of July, after the Senate Intelligence Committee released the first of the five volume report on the 2016 presidential election, Senators Richard Blumenthal (D-CT), Mark Warner (D-VA), Amy Klobuchar (D-MN), and others sought unanimous consent to proceed to a number of election security related bills but were blocked by Senate Republicans. The bills Senate Democrats tried to bring up for immediate consideration included:

  • The “Duty To Report Act” (S. 1247)
  • The “FIRE Act” (S. 2242)
  • The “Senate Cybersecurity Protection Act” (S. 890)
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R. 2722)

The Senate did, however, pass the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent on July 17. S. 1321 would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills. However, despite action on S. 1321 and 1328, Senate Democrats seem intent on continuing to try and force consideration of election security legislation. It is unclear whether McConnell will relent.

Likewise, the House has also began legislation to punish those found guilty of interfering with U.S. elections. In July the House Foreign Affairs Committee met and marked up a number of bills, including: the “Safeguard our Elections and Combat Unlawful Interference in Our Democracy Act” (SECURE Our Democracy Act) (H.R. 3501) “would impose sanctions on anyone found to interfere illegally in an American election from overseas…[and] is designed to punish Russian interference in the 2016 election and also deter future election interference” according to the Committee’s press release.

Congress also has pending a number of bills focused on the federal government’s cybersecurity posture and capabilities. In January, the House passed the “Federal CIO Authorization Act of 2019” (H.R. 247) that would codify the positions of Chief Information Officer (CIO) and Chief Information Security Officer (CISO), make the positions presidential appointments, require the CIO to report directly to the Office of Management and Budget (OMB) Director, require each agency to submit reports on all IT expenditures to the CIO, and task the CIO with submitting a plan to Congress “for consolidating information technology across the Federal Government…and increasing the use of shared services, including any recommendations for legislative changes that may be necessary to effect the proposal.” H.R. 247 is identical to a bill, the “Federal CIO Authorization Act of 2018” (H.R. 6901), the House overwhelmingly passed in December, but the Senate never took up the bill.

On July 17, the House Homeland Security Committee held a markup and reported out four such cybersecurity bills:

  • The “Securing the Homeland Security Supply Chain Act of 2019” (H.R. 3320) would “authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk” with authority similar to those granted to the Department of Defense in the FY 2019 National Defense Authorization Act to exclude contractors with unacceptable supply chain risks.
  • The “DHS Acquisition Reform Act of 2019” (H.R. 3413) would “provide for certain acquisition authorities for the Under Secretary of Management of the Department of Homeland Security.”
  • The Pipeline Security Act (H.R. 3699) would “codify the Transportation Security Administration’s responsibility relating to securing pipelines against cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines.”
  • The “Cybersecurity Vulnerability Remediation Act” (H.R. 3710) would permit but not require the Cybersecurity and Infrastructure Security Agency (CISA) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”

In June, the House took up and passed the “DHS Cyber Incident Response Teams Act of 2019” (H.R. 1158), as amended, by voice vote. H.R. 1158 would require the Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC) to “maintain cyber hunt and incident response teams for the purpose of providing, as appropriate and upon request, assistance “to asset owners and operators in restoring services following a cyber incident” among other circumstances. NCCIC must “continually assess and evaluate the cyber incident response teams and their operations using robust metrics” and may “include cybersecurity specialists from the private sector on cyber hunt and incident response teams.” A related bill has been marked up and reported out of the Senate Homeland Security and Governmental Affairs Committee, the “DHS Cyber Hunt and Incident Response Teams Act of 2019” (S. 315), that would charge NCCIC and CISA with substantially the same missions. The Senate Homeland Security Committee marked up and reported out two other such bills:

  • The “National Cybersecurity Preparedness Consortium Act of 2019” (S. 333) would allow the Department of Homeland Security to “work with a consortium to support efforts to address cybersecurity risks and incidents.” Consortiums are defined to be “a group primarily composed of nonprofit entities, including academic institutions, that develop, update, and deliver cybersecurity training in support of homeland security.”
  • The “Federal Rotational Cyber Workforce Program Act of 2019” (S. 406), which would establish a program under which cybersecurity employees would rotate at federal agencies.

In July, the Senate Homeland Security Committee marked up and reported out the “State and Local Government Cybersecurity Act of 2019” (S. 1846) that would provide the Department of Homeland Security (DHS) the authority “[t]o make grants to and enter into cooperative agreements or contracts with States, local governments, and other non-Federal entities” and direct the National Cybersecurity and Communications Integration Center (NCCIC) to work with “with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center” on addressing a variety of cybersecurity-related responsibilities.

Congress also has proposed measures targeted at small businesses. On July 15, the House took and passed a pair of cybersecurity bills from the suspension calendar:

  • The “SBA Cyber Awareness Act” (H.R. 2331) would “require the Small Business Administrator (SBA) to issue annual reports assessing its IT and cybersecurity infrastructure and notify Congress and affected parties of cyber incidents when they occur.”
  • The “Small Business Development Center Cyber Training Act of 2019” (H.R. 1649) “help Small Business Development Centers (SBDCs) become better trained to assist small businesses with their cyber security and cyber strategy needs…[and] would establish a cyber counseling certification program in lead SBDCs to better assist small businesses with planning and implementing cybersecurity measures to defend against cyber attacks.”

Congress has also initiated legislation to better regulate the energy sector’s cybersecurity. On July 17, the House Energy and Commerce Committee marked up a quartet of energy sector cybersecurity bills:

  • The “Enhancing Grid Security through Public-Private Partnerships Act” (H.R. 359) “directs the Secretary of Energy, in consultation with States, other federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cyber security of electric utilities.
  • The “Cyber Sense Act of 2019” (H.R. 360) would establish “voluntary program [that] would identify cyber-secure products that could be used in the bulk- power system.”
  • The “Energy Emergency Leadership Act” (H.R. 362) would “create a new DOE Assistant Secretary position with jurisdiction over all energy emergency and security functions related to energy supply, infrastructure, and cybersecurity.”
  • The “Pipeline and LNG Facility Cybersecurity Preparedness Act” (H.R. 370) “would establish a program at DOE, in coordination with other Federal agencies, States, and the energy sector, to create policies and procedures to improve the physical and cyber security and resiliency of natural gas transmission and distribution pipelines, hazardous liquid pipelines, and liquefied natural gas (LNG) facilities.”

There are two bills regarding the Internet of Things that have been reported out of committee. On July 10, the Senate Commerce, Science, and Transportation Committee held a markup and reported out the “Developing Innovation and Growing the Internet of Things (DIGIT) Act” (S. 1611) sponsored by Senators Deb Fischer (R-NE), Cory Gardner (R-CO), Brian Schatz (D-HI), and Cory Booker (D-NJ). In her press release, Fischer explained the bill would “would convene a working group of federal entities and experts from the private and academic sectors tasked with providing recommendations to Congress on how to facilitate the growth of connected Internet of Things (IoT) technologies.” She added that “[t]he group’s recommendations would focus on how to plan for, and encourage, the development and deployment of the IoT in the U.S…[and] directs the Federal Communications Commission (FCC) to complete a report assessing spectrum needs required to support the Internet of Things.” S. 1611 is substantially similar to legislation (S. 88) the Senate passed unanimously in the last Congress the House never took up. It is not clear whether the same resistance exists in the House, but unlike the last Congress a companion DIGIT Act has not yet been introduced in the House.

Earlier this year, two versions of the same IoT bill were marked up and reported out of committee. The Senate Homeland Security and Governmental Affairs Committee marked up and reported out the “Internet of Things Cybersecurity Improvement Act of 2019” (S. 734) a week after the House Oversight and Reform Committee acted on the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668) after adopting an amendment in the nature of a substitute that narrowed the scope of the bill. In general, these bills seek to leverage the federal government’s ability to set standards through acquisition processes to ideally drive the development of more secure IoT across the U.S. The stakeholders are responding to the security risks presented by weak or nonexistent security for IoT as seen in a number of major malware attacks. The legislation would require the NIST, the OMB, and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to work together to institute standards for IoT owned or controlled by most federal agencies. These standards would need to focus on secure development, identity management, patching, and configuration management and would be made part of Federal Acquisition Regulations (FAR), making them part of the federal government’s approach to buying and utilizing IoT. Thereafter, federal agencies and contractors would need to use and buy IoT that meets the new security standards.

Finally, House Democrats have made rolling back the Federal Communications Commission’s (FCC) repeal of the Obama Administration’s Open Internet Order (aka net neutrality) a priority. On April 3, the House Energy and Commerce Committee marked up and reported out the “Save the Internet Act of 2019” (H.R. 1644) that would undo the Federal Communications Commission’s (FCC) repeal of the Obama Administration’s 2015 net neutrality order and reclassify internet service providers (ISPs) under Title II of the Federal Communications Act as common carriers. The bill was subsequently passed by the House by a 232-190 vote, but the Senate has not yet taken up the bill and likely will not.

“I’m Shocked, Shocked To Find That Gambling Is Going On In Here”

The Congressional Budget Office (CBO) has updated its January “The Budget and Economic Outlook: 2019 to 2029,” and to what should be no great surprise, the U.S.’s projected fiscal condition is, well, not good. To anyone monitoring the CBO’s economic and budget updates, this is really not news. Nor is the insistence of some that the projected annual near trillion dollar on-budget deficits means it’s time to cut Democratic priorities. I suppose this sort of predictability among those who supported the “Tax Cuts and Jobs Act of 2017” (P.L. 115-97) is reassuring in a world where one struggles to find things on which to depend. So, cue up the calls among Republicans for fiscal responsibility that will become cacophonous should a Democrat retake the White House. Anyway on to specifics.

Here’s the CBO summary of the update:

  • Deficits. In CBO’s projections, the federal budget deficit is $960 billion in 2019 and averages $1.2 trillion between 2020 and 2029. Over the coming decade, deficits (after adjustments to exclude the effects of shifts in the timing of certain payments) fluctuate between 4.4 percent and 4.8 percent of gross domestic product (GDP), well above the average over the past 50 years. Although both revenues and outlays grow faster than GDP over the next 10 years in CBO’s baseline projections, the gap between the two persists.
  • Debt. As a result of those deficits, federal debt held by the public is projected to grow steadily, from 79 percent of GDP in 2019 to 95 percent in 2029—its highest level since just after World War II (see Chapter 1).
  • The Economy. Real (inflation-adjusted) GDP is projected to grow by 2.3 percent in 2019, supporting strong labor market conditions that feature low unemployment and rising wages. This year, real output is projected to exceed CBO’s estimate of its potential (maximum sustainable) level. After 2019, consumer spending and purchases of goods and services by federal, state, and local governments are projected to grow at a slower pace, and annual output growth is projected to slow—averaging 1.8 percent over the 2020–2023 period—as real output returns to its historical relationship with potential output. From 2024 to 2029, both output and potential output are projected to grow at an average pace of 1.8 percent per year, which is less than the long-term historical average. at slowdown occurs primarily because the labor force is expected to grow more slowly than it has in the past (see Chapter 2).
  • Changes in CBO’s Projections Since May 2019. CBO’s estimate of the deficit for 2019 is now $63 billion more—and its projection of the cumulative deficit over the 2020–2029 period, $809 billion more—than it was in May 2019. The agency’s baseline projections of primary deficits (that is, deficits excluding net outlays for interest) for that period increased by a total of $1.9 trillion. Recently enacted legislation accounts for most of that change. In particular, incorporating the higher discretionary funding limits for 2020 and 2021 that were established in the Bipartisan Budget Act of 2019 increased CBO’s projections of primary deficits for the 2020–2029 period by $1.5 trillion. (Those projections reflect the assumption—required by law—that future discretionary funding will grow at the rate of inflation after those limits expire.)

The CBO continues:

Partly offsetting the increase in projected primary deficits is a net reduction of $1.1 trillion in the agency’s projections of interest costs over that same period. The largest factor contributing to that change is that CBO revised its forecast of interest rates downward, which lowered its projections of net interest outlays by $1.4 trillion (including interest savings from the resulting reductions in deficits and debt). Taken together, other changes to the budget projections increased projected debt-service costs by nearly $0.3 trillion; $0.2 trillion of that amount is associated with the increase in projected spending stemming from the Bipartisan Budget Act.

To contextualize this update, that shows FY 2019 will see a $980 billion deficit, in June 2017, CBO estimated that 2017 deficit would be $693 billion, “$109 billion more than the $585 billion deficit posted in 2016.” So, the deficit has been going in the wrong direction from a nominal dollars point of view. At that time, CBO explained the bases for this projection:

The projected rise in deficits would be the result of rapid growth in spending for federal retirement and health care programs targeted to older people and to rising interest payments on the government’s debt, accompanied by only moderate growth in revenue collections.

The waive in retirements does appear to be happening and there will undoubtedly be a surge in spending on Medicare. However, the CBO has been consistently wrong on its projections of interest rates on federal debt. In January 2006, CBO claimed

Interest rates are expected to move upward during the next two years, as the economy grows and the Federal Reserve continues to move toward a more neutral monetary policy. CBO forecasts that the three-month Treasury bill rate will rise to about 2.8 percent in 2005 and 4 percent in 2006; thereafter, it will average 4.6 percent, which is relatively low by historical standards. In the forecast, the rise in the rate for the 10-year Treasury note is somewhat smaller; it averages 4.8 percent in 2005 and 5.4 percent in 2006, then inches up to average 5.5 percent from 2007 to 2015.

However, in 2013, in the middle of the band CBO said would see interest rates averaging 5.5%, CBO said

CBO’s baseline economic forecast anticipates that the interest rate on 3-month Treasury bills—which has hovered near zero for the past several years—will climb to 4 percent by the end of 2017; by that point, the rate on 10-year Treasury notes is also projected to rise from its current level of around 2 percent. (Emphasis added.)

Perhaps CBO’s crystal ball on projected interest rates on federal debt is a bit cloudy?

As for other drivers behind this explosion in deficits and ultimately debt, in April 2018, CBO explained

Projected deficits over the 2018–2027 period have increased markedly since June 2017, when CBO issued its previous projections. The increase stems primarily from tax and spending legislation enacted since then—especially Public Law 115- 97 (originally called the Tax Cuts and Jobs Act and called the 2017 tax act in this report), the Bipartisan Budget Act of 2018 (P.L. 115- 123), and the Consolidated Appropriations Act, 2018 (P.L. 115-141). The legislation has significantly reduced revenues and increased outlays anticipated under current law.

However, the Bipartisan Budget deal and FY 2018 Omnibus pale in comparison to the size of the impact of the tax cut bill on the federal balance sheet. In 2018, CBO explained the package “increases the total projected deficit over the 2018–2028 period by about $1.9 trillion,” but, to be fair, $600 billion of that is increased service on federal debt on account of increased interest rates. But, the CBO used modeling that sounds very much like “dynamic scoring,” which takes into effect economic changes downstream from the change in federal spending that may mitigate or worsen the federal outlook. In this case, CBO claims increased economic activity will reduce the size of the total bill from $1.8 trillion in primary deficit to $1.3 trillion.

Consequently, there will be many Republicans, including the White House, to call for cuts in virtually all non-defense spending save for Social Security and Medicare, which are sacrosanct so long as seniors vote. It will be interesting to see how Democrats respond. My guess is that candidates for the Democratic nomination for president will call for rolling back the 2017 tax bill and for raising rates even further on the wealthy and corporations to pay for new ambitious social programs like Medicare for America or Medicare for All.

Administration Delivers Another Budget Request Congress Will Largely Ignore

This week, the Trump White House released a summary of their FY 2020 budget request, and, to date, has not yet released the meat of any President’s budget: the agencies’ budget documents and OMB’s materials. Nonetheless, what we can discern from the budget request is that it’s largely the same as the previous two budget requests in that defense spending would see a spike and non-defense spending would largely get a spike through its heart. In short, this is the anti-Great Society budget.

Big picture, the Administration proposes to live within the Budget Control Act caps for FY 2020…sort of. Discretionary defense funding would be $576 billion and non-defense discretionary funding at $567 billion, which would be cuts of $71 billion and $55 billion compared to FY 2019 enacted funding. However, as floated recently by the Administration, they propose to use Overseas Contingency Operations (OCO) accounts to circumvent the cap of discretionary funding through a request of $165 billion, an OCO number not seen since the Afghanistan surge in FY 2011. Considering House Armed Services Committee Ranking Member Mac Thornberry (R-TX) has already given this ruse the thumbs down, I think we can assume this is not going to be the means by which the Pentagon is funded this year.

The “2-penny” proposal is back. As you may recall from last year’s request, the Administration is asking that Congress cut 2% from non-defense discretionary spending for the balance of the budget window, which, if enacted, would lead to $458 billion being spent on these programs in FY 2029, or a 26.1% decrease from FY 2019. Incidentally, defense discretionary funding would be $817 billion in FY 2029, a 14.1% increase from FY 2019.

On the programmatic side of domestic funding, the Administration is proposing cuts that would return the federal government to a pre-LBJ size and scope. Again, the Administration is asking Congress to repeal and replace the “Patient Protection and Affordable Care Act” (PPACA) with “legislation modeled after the Graham-Cassidy-Heller-Johnson bill proposed in September 2017.” The Administration is proposing repeal and replace despite the chances being zero because there is no way House Democrats would agree. Nonetheless, this bill would undo much of the PPACA and block grant Medicaid and set a per-capita cap. The Administration “would give States additional flexibility around benefits and cost-sharing, such as increasing copayments for non-emergency use of the emergency department to encourage appropriate use of healthcare resources, as well as allowing States to consider savings and other assets when determining Medicaid eligibility.” In other words, continuing the same path started under the Section 1115 waiver process that has allowed Kentucky and Arkansas to implement work requirements to their Medicaid programs and other changes that have resulted in people being pushed out of their healthcare coverage. Likewise, the Administration states “The Budget includes bold proposals to help able- bodied adults participating in the Supplemental Nutrition Assistance Program (SNAP) enter the job market and work toward self-sufficiency.”

HUD’s Community Development Block Grant program (CDBG) would be zeroed because it “has not demonstrated sufficient impact.” For FY 2019, Congress ignored a similar request and funded this popular program at $3 billion.

The Administration is proposing to cut the the Department of Education’s Public Service Loan Forgiveness program and “streamline” the income-driven repayment (IDR) (i.e. most likely impose dramatic cuts to eligibility).

However, the U.S.-Mexico border is back, front and center. The Administration asks for $5 billion in the DHS section of the budget request to build a “border wall,” $2.7 billion “for 54,000 detention beds to ensure ICE has the ability to detain criminal aliens and those apprehended at the border—including aliens with meritless asylum claims—so they can be safely removed,” and the creation of a new “Border Security and Immigration Enforcement Fund to provide the additional mandatory funding resources necessary to meet the President’s border security and immigration enforcement goals.” This last item is an obvious attempt to circumvent Congress’ control of funding and programmatic issues through annual funding bills, for with such a mandatory source of funding, the Administration would conceivably have more leeway in getting and using funds. However, I doubt very seriously Congress will agree to this.

In any event, I would recommend skipping much of the prose and heading straight for Page 109 where the tables begin.

Like almost all Presidential budgets, the economic assumptions are rosy (Table S–9). The Administration is projecting that current economic growth will grow a bit in 2019 (from 2.8% to 3.2%) and then dip in FY 2020 to 3.1%. If this comes to be, this would be solid economic growth that would help the government’s finances. We’ll see. Also, the Administration is projecting 2.3% inflation not only for FY 2020 but for the entire ten year budget window. And, the Administration is projecting a $1.101 trillion deficit for FY 2020 and a $1.092 trillion for FY 2019.

In terms of economic assumptions, the Administration is projecting real GDP growth of 3.1% for 2020, no change in the unemployment rate of 3.6%, the interest rate on the 10-year Treasury note will rise to 3.6%, and inflation to rise from 2.1% to 2.3%. Overall, the Trump Administration is projecting a deficit of $1.101 trillion for FY 2020 (or 4.9% of projected GDP).

In this chart (S-8), the Trump Administration shows the extent of the domestic funding cuts:

However, these numbers are not entirely accurate, for as OMB explains in Footnote 1 that some of the agencies funding top-lines are based on the FY 2019 continuing resolution levels because the chart was prepared before enactment of the “ Consolidated Appropriations Act 2019” (P.L. 116-6), the bill that ended the five-week partial government shutdown. Nonetheless, they provide a rough if not close sense of how deep some of the proposed cuts would be:
Agriculture -14.8%
Education -12%
Energy -10.8%
Health and Human Services -11.9%
Housing and Urban Development -16.4%
Interior -10.9%
Labor -9.7%
State and foreign operations -23.3%
Transportation -21.5%

In all, this budget, if enacted, would render major changes to the U.S. with respect to social policy and push the country even further down the path of income inequality. However, Congress will not go along, and most of the budget will be ignored, and the spending caps will be adjusted upwards for both defense and non-defense.