Congress dramatically ratcheted up the number of cybersecurity bills introduced in the last two years compared to the prior session of Congress, but that didn’t equate to much more of it becoming law, according to a think tank study out today.
And while cybersecurity legislation remained a relative oasis of bipartisanship, that tendency sharply dropped off when it came to election security, found the tally from Third Way — which CyberScoop is first reporting.
The findings offer potential insights into how the issue is evolving, and where it might go next, even if the trends don’t lend themselves to a simple explanation.
In all, lawmakers introduced 316 cybersecurity bills in the 116th Congress that ran from 2019 to 2020, a 40% increase from the 115th Congress. That continues a trend that took off in that session of Congress: The 114th Congress saw just 22 cybersecurity measures offered, the center-left think tank concluded.
Only 14 cybersecurity bills became law in the most recent term, however, up from 11 in the prior session. They included bills that contained many of the recommendations of the Cyberspace Solarium Commission, and legislation that established baseline standards for “internet of things” devices the federal government purchases.
Michael Garcia, senior policy adviser at Third Way, said that the increase in volume of bills introduced reflected lawmakers growing more comfortable with cybersecurity overall.
It’s more than that, though. Eleven of the new bills dealt with COVID-19 cybersecurity matters, such as the Defend COVID Research from Hackers Act that would authorize sanctions against nations that hack U.S. COVID-19 research, or the COVID-19 Consumer Data Protection Act designed to protect citizens’ sensitive personal data when it’s used for contact tracing.
Growing awareness of the threats from China, Iran, North Korea and Russia spurred an increase in the number of foreign policy-related cyber bills to 48.
Some of the uptick might also be caused by the notion that lawmakers did not have an especially busy congressional season before. Third Way counted “95 bills [that] were reintroduced from the previous Congress, so you keep seeing people building off of their colleagues’ works or reintroducing some of their pet projects,” Garcia said.
Lawmakers also may have seen their creation of the Cybersecurity and Infrastructure and Security Agency at the Department of Homeland Security in the prior session of Congress as laying a foundation to which they could add, Garcia said.
But Third Way’s overall estimate of bills introduced may not be very helpful, said Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
“It doesn’t count unless it passed,” he said. And in that regard, what Congress did on cybersecurity wasn’t much different than it did anywhere else, because lawmakers aren’t getting as many bills enacted into law these days: “You start from the premise of dysfunction.”
Where it might be informative is as an indicator of lawmakers’ political math, Lewis said, as they chase positive publicity related to issues in the news.
“If we had the Times and the Post run for six months articles saying that asparagus was crucial, you would get 100 bills,” he said. “There’s the flavor of the week, and members want to introduce the bill that has that flavor in it. And really, it’s an exercise in its politics but it’s not actually policy.”
Still, it’s a plus for the nation when “lawmakers can even spell ‘cybersecurity,'” he quipped.
Garcia conceded one way in which its tally offers an incomplete picture. By one estimate, the annual defense policy bill known as the National Defense Authorization Act (NDAA) included 77 cybersecurity provisions in its latest version. Increasingly, that annual “must-pass” legislation is coming to encompass a lot of lawmakers’ cybersecurity policymaking.
“So you almost have this kind of militarization of cybersecurity,” said Garcia, adding that one upcoming Third Way project is to look at the NDAA’s place in cybersecurity legislation.
The Third Way analysis at least partly took into account bills that became folded into other, larger measures. The organization figured that 45 cybersecurity bills got absorbed into legislation like the NDAA and annual spending measures.
Third Way found other shortcomings in congressional focus on cybersecurity.
“Despite Congress’ increased attention on cyber-related actions, a concerning gap remains in the legislative focus on cyber enforcement — identifying, stopping, and imposing consequences on malicious cyber actors,” the analysis reads, noting that only 11% of introduced bills fit that description.
More than half of the bills had bipartisan sponsorship, according to the study, although election security often divided the two parties. The bipartisanship trend on cyber reflected Congress tending to be more cooperative on national security as a whole, Garcia said.
Lewis observed that Congress also often fought on Russia, considered one of — if not the — biggest cyber threat to the United States. Republicans sided with President Donald Trump on election security and Russia fights in Congress, given his animus toward suggestions that the Kremlin helped him win office in 2016. “That might change as Trump administration recedes into memory,” Lewis said.
Looking ahead, Garcia anticipated that legislation responding to the SolarWinds hack might drive legislation in the current, 117th session of Congress. And the new Democratic leadership of the Senate Homeland Security Committee has indicated a focus on helping state and local governments on cyber.
Garcia saw reasons to be optimistic about a national data breach notification law, something Congress has failed to enact for more than a decade. He said key lawmakers have voiced support for moving data breach notification legislation.
And he said ransomware might consume lawmakers as “it’s affecting just everybody.” But with Congress’ interest in cybersecurity still growing — cyber bills accounted for just 3% of all legislation introduced — “the number’s just going to keep going up and up.”