Congress this week is slated to pass what just might be the most significant cybersecurity legislation ever.
This year’s annual defense policy bill, known as the National Defense Authorization Act (NDAA), is loaded with provisions that would reshape the federal bureaucracy on cybersecurity. It would create a national cyber director in the White House and strengthen the Department of Homeland Security’s Cybersecurity and Information Security Agency (CISA), among other changes.
“I believe it’s safe to say that this is the most important piece of cybersecurity legislation ever passed” should the final bill advance this week, said Sen. Angus King, I-Maine, who co-chaired the Cyberspace Solarium Commission that produced many of the proposals in the legislation.
Mark Montgomery, executive director of the commission, called it “the most substantive” cyber legislation Congress will have passed. Others agree. “I think that’s true, 100%,” said Jonathan Reiber, a former Defense Department cybersecurity official during the Obama administration and now senior director for cybersecurity strategy and policy at the security vendor AttackIQ.
The House is expected to vote on the bill Tuesday, with Senate consideration to follow. There is still one impediment after that: a veto threat from President Donald Trump, who wants Congress to include language to revoke social media’s legal protections for content published on their sites by others.
But it’s not clear whether Trump will act on his threat. Even if he does, Congress likely would have the votes to overturn a veto — although depending on the timing of Trump’s decision, it could push final passage of the legislation into next year.
What it does
In all, the Solarium Commission got 26 of its recommendations in the defense bill, out of the 34 it sought this year and 52 that Congress could act upon. It made more than 80 recommendations in all, though some of them aren’t for Congress, such as proposals that the executive branch could enact on its own.
Montgomery said the commission reviewed studies that showed that “agenda” commissions typically get 31% of their recommendations fully done in the approximate three years.
“I’m thrilled with how many of the provisions of the Solarium recommendations got put into the NDAA,” said Rep. Jim Langevin, D-R.I., who serves on both the House Armed Services Committee and the Solarium Commission.
The White House national cyber director position is the biggest. But there are others nearly as big.
CISA is a major beneficiary. The legislation would give DHS’ cyber agency the power to issue administrative subpoenas to internet service providers when it detects critical infrastructure security vulnerabilities but can’t track down the owner. It also would grant authority to CISA to conduct threat hunting within federal government networks, and would create a Joint Cyber Planning Office within CISA.
Langevin said that office was necessary because such planning is currently done only on an “ad hoc” basis, such as with the “Russia Small Group” task force created by the National Security Agency and U.S. Cyber Command to counter Russian influence.
The bill would direct the executive branch to conduct “continuity of the economy” planning in the event of a catastrophic cyberattack to keep goods and services flowing. It would order a force structure assessment of Cyber Command’s Cyber Mission Force to determine whether the requirements last established in 2013 are appropriate.
The legislation also contains major provisions on cyber that weren’t the work of the Solarium Commission. One such proposal would instruct the director of CISA to hire a cybersecurity director for each state. The goal is to increase cyber coordination between states and the federal government.
And for the first time ever, the legislation has an entire section devoted to cybersecurity matters. There are so many security provisions that just the list of them in that section takes up nearly two full pages, but there are others with cyber ramifications scattered throughout.
The veto threat
Right now, though, the bill remains on the “one-yard line,” King said. Trump has threatened to veto the measure if it doesn’t revoke the social media legal shield, known as Section 230.
Senate Armed Services Chairman Jim Inhofe, R-Okla., has said he supports revoking Section 230 but the defense policy bill isn’t the right place for it.
Most consider it unlikely that a veto would be successful, even if Trump holds firm. The annual NDAA usually receives broad bipartisan support, which means that it would likely vote to override a Trump veto. Congress has a 59-year streak of enacting the NDAA.
Aides to the Armed Services panels last week said that they would take things one step at a time if Trump issues a veto. But one complication would be if Congress runs out of time this year to hold a veto override, one aide said.
That could push this year’s bill into 2021. “It’s not as easy as just taking this bill and in a new Congress, sticking up the exact same bill,” the aide said. “There would be a lot more complexity than that.” Next Congress brings new committee leadership, and new lawmakers, who might take a different approach, King said.
The legislation is too important not to be signed into law, King and others said.
“This year’s National Defense Authorization Act is a must-pass,” said former CISA Director Chris Krebs, speaking at a Washington Post event last week. “Not just for CISA, but for the entire national security community, it must pass.”
What’s left undone
One of the other biggest Solarium proposals was for Congress to create standalone Cybersecurity Committees. King said he knows that will be hard, as lawmakers are loath to give up legislative turf.
But in order to get all of the cybersecurity language into this year’s NDAA, backers needed 180 clearances from House and Senate panels, both majority and minority, before those provisions could be included, King said.
“The experience that we’ve had this year underlines why it’s important,” King said. “The jurisdiction over this subject is so scattered around the Congress. It really does make it hard to have a coherent policy.”
Some of the other major recommendations left on the table include creating an assistant secretary of State for cyber, a Bureau of Cyber Statistics similar to the Department of Labor’s Bureau of Labor Statistics and a National Cybersecurity Certification and Labeling Authority.
And the commission recommended amending the Sarbanes-Oxley Act, a 2002 law designed to improve oversight of corporate failures, to include cybersecurity reporting requirements.
The State Department idea caused disputes over how the assistant secretary position should be structured, King said, and lawmakers ran out of time to resolve them. Other recommendations, Montgomery said, weren’t good fits to include in the defense authorization measure.
But the commission isn’t done producing recommendations, either. It produced a “pandemic annex” in response to COVID-19 and white papers on supply chain security and the cyber workforce. Montgomery said those would lead to more legislative proposals.
The defense bill contains language to extend the life of the Solarium Commission for one year, too, which gives staffers more time to work on the remaining recommendations.
Then there’s the incoming Biden administration, which might have its own take on the commission’s remaining recommendations.
“I think we’re both wanting to make ourselves and our commission highly available to the Biden transition team and hope to have a discussion with them on these issues,” Wisconsin Rep. Mike Gallagher, who co-chaired the commission, said of King and himself. “We’re going to have a dialogue.”
How they did it
It helped the Solarium Commission that King and Langevin serve on their chambers’ respective Armed Services panels. But King said another key was that the commission wrote legislative language for those committees to consider.
“Instead of just throwing recommendations over the transom and saying, ‘Here’s something we think you should do,’ we handed the committees finished, drafted legislation,” King said.
The commission was also bipartisan: Gallagher was the Republican co-chair, and while King is an independent, he caucuses with Democrats. Gallagher touted the “public diplomacy” effort of the commission, such as circulating its proposals in think tanks and across agencies.
Reiber said the commission also hired savvy staffers and that it included experienced hands like Chris Inglis, a former deputy director of the NSA.
“Those people are good synthesizers of information. They did a deep analysis, they had a rollout and they did it professionally,” he said. “In cybersecurity we talk about people, process and technology, and the world tends to fetishize technology. The successes of the Cyber Solarium Commission indicate the tremendous value of process.”
Sean Lyngaas contributed to this story.