The bill passed by the U.S. House of Representatives to create a new cybersecurity agency inside the Department of Homeland Security faces a tough climb in the Senate despite bipartisan support, observers and staffers say.
H.R.3359, the Cybersecurity and Infrastructure Security Agency Act of 2017, passed by voice vote Monday — moving the bill to the upper chamber. In brief floor remarks, Rep. John Ratcliffe, R-Texas, called the bill a “compromise” that fellow Texan, House Homeland Security Committee Chairman Michael McCaul, had worked on with “dogged determination.”
In a statement, newly sworn-in DHS Secretary Kirstjen Nielsen also praised McCaul’s “tireless work” on the proposal. And well she might: It’s his second attempt — with bipartisan support from Rep. Bennie Thompson, D-Miss. — to create an operational cybersecurity agency within DHS.
The first bill never made it to the House floor last Congress because of turf fights: Nine other House committees have jurisdiction over some element of DHS.
The latest attempt passed only because the three other committees with authority over cyber issues — Energy and Commerce, Transportation and Infrastructure and Oversight and Government Reform — relinquished their jurisdictional claims and allowed it to proceed.
The other committees did so, said staffers, in part because the bill was carefully written to limit its scope — specifically declaring that it’s not conferring any new authorities on DHS.
Instead, the bill simply renames the department’s National Protection and Programs Directorate, responsible for both the cyber and physical security of the nation’s vital industries. If the bill becomes law, NPPD will become the Cybersecurity and Infrastructure Security Agency and its current undersecretary will become a director.
“The bill [that failed] last year was much more ambitious,” said one Homeland Security committee staffer who asked not to be identified. “This year, to get it across the finish line, we crafted it much more narrowly … In my view, that shows the jurisdictional challenges we face.”
But it also suggests that turf issues may be less of a problem in the upper chamber, according to former Senate Homeland Security and Governmental Affairs Committee staffer Christian Beckner.
“There are likely to be fewer turf issues than there have been with other cyber bills, because it is so narrowly drawn … basically it’s just a re-organization of DHS,” he said.
Indeed, the Senate parliamentarian referred the House bill only to Homeland Security. Other cyber bills have been subject to multiple referrals, complicating their chances of passage.
But the committee will likely want to at least amend the House-passed legislation, if not write their own bill entirely, said Beckner. “I think they will lean towards … marking up their own version of the [House] bill.”
If Senate Homeland Security Committee Chairman Sen. Ron Johnson, R-Wisc., wants to write his own bill, Senate tradition would dictate that he hold a hearing, staffers said.
That highlights the stumbling blocks the bill still confronts even if the turf issues are successfully managed, said Beckner.
“The challenges will be at the committee level, prioritizing this among the staff’s other work. And at the leadership level, what are the chances of getting floor time for a debate?” he said. “The road [to getting legislation passed]… is very narrow.”
The House bill will die at the end of the 115th Congress next December — just over a year away, staffers said.
Yet while that may give lawmakers some time, campaigns associated with next year’s midterm elections take away from time that could be spent on getting the bill to pass.
“By the end of the summer Congress will be in campaign mode” for the midterm elections and further legislative progress is unlikely, Beckner said.
Despite this, the prospects for eventual passage in the Senate were “decent,” said Bill Wright, Symantec’s director of government affairs. He added he was “optimistic” that Johnson and Ranking Democrat Sen. Claire McCaskill, R-Mo., would “take this up and make it a priority.”
A committee spokeswoman said only that they were “reviewing legislation as it relates to NPPD,” and didn’t answer follow-up questions.
One champion of the reorganization proposal in the Senate last year remains upbeat about the bill’s chances. Sen. Thomas Carper, D-Del., “strongly supports efforts to streamline and rename [NPPD],” said an aide. “He looks forward to working with his colleagues to find a bipartisan path forward on NPPD reorganization.”
Suzanne Spaulding, a former undersecretary for NPPD, told CyberScoop the name change is crucial to clarify the office’s mission to its staff and other stakeholders.
“No one ever knew what NPPD meant,” she said.
With the name change, “All the parts of the entity can see their mission in the agency’s name and can understand that they all have contributions to make,” said Spaulding. She added that the bill would open the door to other changes, including staffing and acquisition authorities.
“This is another bipartisan success for the House Homeland Security Committee,” she said. “I hope the Senate will find a way to move very quickly.”