US Congress tees up ambitious cybersecurity agenda in the wake of supply chain, ransomware attacks

The Biden Administration has been thrown into a thicket of cybersecurity troubles in its first six months, forcing the White House to issue complex cybersecurity executive orders, directives and policy changes in rapid succession. Congress, meanwhile, is teeing up an ambitious cybersecurity agenda of its own, sparking hopes that the recent spate of cybersecurity crises might break through the partisan logjam that has increasingly blocked meaningful legislative action.

Last week, Senator Majority Leader Chuck Schumer (D-NY) initiated a review of recent high-profile ransomware attacks in the run-up to new legislation. Then, Chairman Gary Peters (D-MI) and Rob Portman (R-OH), chair and ranking member of the Senate Homeland Security Committee sent a letter to national security adviser Jake Sullivan and Shalanda Young, the acting director of the Office of Management and Budget, asking the two officials to spell out within 30 days the legal authorities they think federal agencies need to combat ransomware attacks. Their responses could serve as the basis for new legislation to rein in ransomware.

Solarium commission recommendations, complex equities to consider

Representative Jim Langevin (D-RI), the co-chair of the Cyberspace Solarium Commission (CSC), a public-private initiative formed two years ago to help guide Congress on complex cybersecurity issues, hopes the Senate moves quickly on the Cyber Diplomacy Act, a CSC recommendation that passed the House in April. “I also hope the Senate will look carefully at the findings of the Cyberspace Solarium Commission about systemically important critical infrastructure. Recent ransomware incidents have made it clear we need a new governance structure for companies that perform vital national functions,” he tells CSO.

Despite the almost universally recognized need for a new cybersecurity governance structure, some industry experts warn that lawmakers should carefully craft any new legislation to avoid imposing unnecessary burdens. “It’s a complicated question and topic, and there are lots of different equities that need to be taken into account,” Andy Ellis, former CSO at Akamai Technologies and current operating partner at YL Ventures, tells CSO. “I see people calling for punishments on people who pay a ransom, which I think is a disaster of an approach. I would much prefer to punish people who take ransom.”

Around 115 cybersecurity-related bills in the offing

Although Schumer’s nascent legislative push is the most high-profile initiative so far, around 115 pieces of legislation have already been introduced in the 117^th Congress that directly deal either in whole or part with a broad spectrum of information security issues. These bills range from shoring up the digital integrity of America’s pipelines to enhancing further the security of America’s electoral system.

The current Congress kicked off cybersecurity-related legislation with its first bill, H.R. 1, the sprawling For the People Act. That bill contains several provisions related to the security of America’s elections, including sections that address the need for information sharing between federal and state governments regarding cybersecurity threats to election systems and developing a national strategy and implementation plan to protect democratic institutions from cyberattacks and disinformation. However, the voting rights nature of the bill has aligned the Republicans in both the House and the Senate against H.R. 1, almost certainly dooming its chance of passing.

Other notable bills introduced early in the current Congress include:

• R. 21 – Federal Risk and Authorization Management Program Authorization Act of 2021 or the FedRAMP Authorization Act, introduced on January 4 by Representative Gerald Connoly (D-VA), and passed by the full House the next day, this bill provides statutory authority for the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration (GSA), mandating that federal cloud service providers meet FedRAMP security guidelines.
• The Protecting Consumer Information Act of 2021 (H.R. 474), introduced by Ted Lieu (D-CA), the bill requires the Federal Trade Commission (FTC) to review whether current privacy standards are sufficient to protect consumer financial information against cyber threats.
• The SECURE Small Business Act (S.161), introduced by Senator Catherine Cortez Masto (D-NV), the bill requires the Small Business Administration (SBA) to establish a free website that provides a marketplace for facilitating agreements under which small businesses may cooperatively purchase cybersecurity products and services.
• The Cyber Diplomacy Act of 2021 (H.R. 1251), sponsored by Senator Mike McCaul (R-TX) the bill establishes “the Bureau of International Cyberspace Policy within the Department of State to advise the State Department on cyberspace issues and lead diplomatic efforts on issues related to international cybersecurity, internet access, and freedom, and international cyber threats.” This bill passed the House in April and is headed to the Senate.
• The National Cybersecurity Preparedness Consortium Act of 2021 (S.658), introduced by Senator John Cornyn (R-TX), the bill allows the DHS to work together with a consortium of nonprofit entities to develop, update, and deliver cybersecurity training in support of homeland security.

Other bills passed by committee head to the full House

May saw a flurry of bipartisan bills reported out of the House Homeland Security Committee to address “a string of disturbing cyberattacks,” including the SolarWinds and Microsoft Exchange server hacks, the Oldsmar water facility intrusion, and the Colonial Pipeline ransomware attack. These bills, which are slated to hit the full House next, include:

• The Pipeline Security Act (H.R. 3243), sponsored by Representative Emanuel Cleaver (D-MO), aims to enhance the ability of the TSA to guard pipeline systems against cyberattacks, terrorist attacks and other threats.
• The State and Local Cybersecurity Improvement Act (H.R. 3138), introduced by Congresswoman Yvette D. Clarke (D-NY), plans to authorize $500 million in grants for local governments to secure their networks against ransomware and other malicious digital attacks.
• The Cybersecurity Vulnerability Remediation Act (H.R. 2980), introduced by Congresswoman Sheila Jackson Lee (D-TX), authorizes the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to help critical infrastructure owners deal with the most critical, known cybersecurity vulnerabilities.
• The CISA Cyber Exercise Act (H.R. 3223), introduced by Representative Elissa Slotkin (D-MI), establishes a National Cyber Exercise program at CISA for more regular testing and systemic assessments of preparedness and resilience to cyberattacks against critical infrastructure.
• The Domains Critical to Homeland Security Act (H.R. 3264), introduced by Ranking Member John Katko (R-NY) to authorize DHS to conduct research and development into supply chain risks for critical domains of the United States economy and transmit the results to Congress.
• The Cybersecurity Disclosure Act of 2021 (2. 808), sponsored by Senator Jack Reed (D-RI), amends the Securities Exchange Act of 1934 to promote transparency in the oversight of cybersecurity risks at publicly traded companies.

Since mid-May, other legislation with cybersecurity provisions has been introduced, including:

• A bill to establish a K-12 education cybersecurity initiative, and for other purposes (S. 1917), introduced by Senator Gary Peters (D-MI), would implement a study on cybersecurity risks facing K-12 institutions no later than one year after enactment,
• The INVEST in America Act (H.R. 3684), introduced by Representative Peter DeFazio (D-OR), is a five-year, $547 billion surface transportation reauthorization bill that directs federal investments in roads and bridges transit and rail, including a cybersecurity enhancement and resiliency grant program for Amtrak.