It will be a banner year for cybersecurity debates in Congress — and that isn’t necessarily a good thing, says Michael Bahar, the staff director of the House Intelligence Committee.
“We have kicked off the year with a lot going wrong with Russia and its hacking,” he says.
While there are multiple probes in the House and Senate to investigate the breadth and depth of Russia’s influence on the 2016 presidential election, those retrospective efforts are just a portion of the task ahead for lawmakers who handle cybersecurity issues.
“For far too many industries, we are in a pre-Enron phase. If you think about Enron, what led to that was board members and senior executives at companies saying it looks fine and if it’s an accounting issue, then take it to accounting. And I think that’s where we are in many industries for cyber,” Bahar said a panel discussion Wednesday at the Washington, D.C.-based Hoover Institution. “And what I think that means is that a lot of it will be driven by what the courts do. And how Congress will respond to that.”
Bahar and other aides from the House Homeland Security Committee, House Intelligence Committee and Senate Intelligence Committee spoke to some of the debates on the horizon. Nascent cybersecurity liability and insurance policies — those backed by private industry and shaped by pending court cases — will be among the most vital catalysts to spur fresh laws in 2017 at both the state and national level, said Brett DeWitt, a staff director for the House Homeland Security Committee’s Cybersecurity and Infrastructure Protection Subcommittee.
When it comes to government, House Homeland Security’s big focus in 2017 will be to establish a cybersecurity agency within the Homeland Security Department, DeWitt said, that will “elevate the cyber mission” and streamline DHS’ responsibilities. Other issues for the committee include federal workforce recruitment assistance initiatives, DeWitt said.
“We have the authorities in place, clarifying the roles and responsibilities for the inter-agencies — kind of who does what — but what’s missing now is what underpins those authorities, which is the organizational structure and how do you streamline, for example, DHS,” said DeWitt. “We’ll be looking at the meat and potato issues … talking about acquisition, procurement, how do you build a larger human capital pipeline for both the federal government and private sector.”
Section 702 returns
Next week, the House Judiciary Committee is planning to host the first in what is likely to be a series of hearings focused on renewing Section 702 of the Foreign Intelligence Surveillance Act, otherwise known as FISA. Section 702, which gained notoriety in the aftermath of the Edward Snowden leaks, allows the U.S. government to conduct intelligence gathering operations aimed at foreign persons located abroad.
The push to renew, and possibly tweak, Section 702 will be one of the year’s largest legislative battles of the year, said House Intelligence Committee Counsel Allen Souza, as the measure is set to expire in December due to a sunset clause. Souza said that section of FISA is critical for the U.S. to fight cyber criminals.
“When a cyberattack happens, however you want to define it, it’s important especially in government to understand who did it,” said Souza, “it means making sure the intelligence community has the tools they need to figure out the plans and intentions of bad actors abroad.”
Discussions on Capitol Hill concerning 702 will shine a spotlight on a collage of other, semi-related policies, including those related to data privacy, encryption and data transfer laws, explained Souza, broadening what is already expected to be an expansive policy debate.
Congressional aides say they are preparing for these legislative battles.
“I do think we are taking a proactive approach [this year] from both sides and trying to look at it from the ground up — foundationally — what needs to transpire so that we are not in a predicament where it’s a last minute fire drill [with 702], for example,” said Senate Intelligence Committee Counsel Brett Freedman. “I think that [the Cybersecurity Act of 2015] started things from an informational sharing perspective but I think … we need to move that forward to a more cooperative and collaborative environment.”
Originally enacted in early 2016 as part of an omnibus spending bill, the Cybersecurity Act is among the most comprehensive pieces of legislation that guides interactions between the private and pubic sectors. The cyber threat intelligence sharing aspect of the Act, however, has largely fallen short; failing to attract significant participation from private companies.
It remains possible that 2017 will see new legislation and increased outreach to overcome some of these existing struggles.
“It is one thing to have information sharing, it is another to have a collaborative, open and active dialogue to really get an understanding for what people are seeing in the private sector. And how can government assist in that,” Freedman said.
Who’s in charge?
The technological intricacies involved in drafting cybersecurity legislation — and the topic’s inherent tendency to cross borders and business sectors — are expected to further complicate matters. The relevant legislative responsibilities likely will be spread across a diverse list of committees and lawmakers. Some are less equipped than others.
Over the last several weeks, multiple congressional committees have jostled over who should lead an investigation into Russian hacking operations. Those disagreements could foreshadow larger issues over cybersecurity jurisdiction in Congress.
“One thing we’re trying to do is education but at the end of the day political dynamics can and often do change,” Bahar said. “We started, and I think it’s really good, a 702 education process last year, to make sure that in the calm of the day people at least know — these are members as well as the broader public — what exactly section 702 means … so if something does go wrong, it’s not, ‘Oh my God what is 702, let’s get rid of it, let’s start over.’ The education piece is really important.”
A executive order on cybersecurity is expected to be signed in the near future by President Donald Trump, but the leaking of multiple, slightly different, versions to news outlets has also left congressional offices and industry groups questioning what the document eventually will contain.
“At any point in time, the executive branch could come down and say ‘we want this as a priority.’ So it’s also for us trying to understand, to figure out exactly what the executive branch is doing. What are their priorities over the next few years? We are trying to do that as well,” Souza said. “Who knows what will happen tomorrow?”