The federal government and private sector are still reeling from the SolarWinds supply chain hack, and Congress is on edge as it begins a new term beset by fears of domestic terrorism. It would seem all bets are off in terms of the previous legislative agenda for cyber security, at least in the near-term.
The relevant committees in the new 117th Congress have yet to weigh in on specific pieces of legislation, but it’s clear that cyber security will be a big focus across both the House and Senate.
First, in the wake of the discovery of the SolarWinds breach, the incoming Biden administration committed to making cyber security a top priority. Late last week, the Biden team made good on that promise when announcing its Rescue Plan that calls for around $10 billion in cyber security spending, including $690 million for CISA to improve security monitoring and incident response at the agency.
One of the legislators leading the fight for cyber security legislative initiatives in Congress, Representative Jim Langevin (D-RI), applauded Biden’s push for more cyber security spending.
“I’m also grateful to see the president-elect pushing for important investments in cyber security in the wake of the SolarWinds hack, which has placed a spotlight on the need to act now to protect Americans and our interests in cyberspace,” he said in a statement lauding the overall rescue package.
Warner: Raise breach reporting requirements
Incoming Intelligence Chair Mark Warner (D-VA) said he would hold hearings on the SolarWinds hack and plans to reexamine the concept of a mandatory national data breach notification law. Speaking at an Aspen Institute webinar on January 7, the day after the rioters’ siege of the Capitol, Warner said that the SolarWinds breach, a devastating breach likely perpetrated by Russian state actors, nevertheless “paled in comparison to the damage done to our country in the last 24 hours.”
To Warner, the question is whether the SolarWinds incident is within the bounds of acceptable espionage. To answer that question, Warner thinks we need to “create some level of international norm-setting, some rules of the road. Better cyber hygiene alone is not going to win the battle.”
In terms of mandatory breach reporting requirements, Warner said, “We’re going to need a fulsome review. The fact that the public enterprises don’t even have to fully report to CISA, let alone the private sector where, if the [breach] doesn’t reach a level of materiality, doesn’t even have to report, needs to be fully reviewed.”
More attention on state and local government defence, ransomware
Two other topics that have climbed in priority over the past few months that will likely receive top attention on the Hill include:
- The State and Local Cybersecurity Improvement Act, which was introduced in February but passed by the House in September. House Homeland Security Committee Chairman Bennie Thompson (D-MS) said he plans to re-introduce the bill, which will allocate more funds through a $400 million grant program so that state and local governments can build better cyber security defenses.
- Ransomware attack legislation: Up-and-coming Democratic party star Lauren Underwood (D-IL), who ascended to head the House Homeland Security Committee’s cyber security subcommittee, said in November that legislation aimed at addressing widespread ransomware attacks would be a top priority, to give local governments funds to grapple with the attacks.
To date, only three bills that specifically mention cyber security have been introduced in the 117th Congress. The first is HR 117, introduced by Representative Sheila Jackson Lee (D-TX), which amends the Homeland Security Act to establish a DHS cyber security on-the-job training and employee apprentice program.
The second bill is HR 1, For the People Act, introduced by Representative John Sarbanes (D-MD), which encompasses several election security measures. The third cyber security-related bill is HR 21, the FedRAMP Authorization Act, introduced by Representative Gerald Connolly (D-VA), to enhance the security, innovation, and availability of cloud computing in the federal government.
Capitol siege raises cyber security priority
“From a cyber security perspective, the [siege of the Capitol] should only amplify the prioritisation of the [cyber security] agenda,” Kiersten Todt, managing director of the Cybersecurity Institute, tells CSO. Moreover, the SolarWinds breach highlights the fact that supply chain security ought to be a major topic for discussion.
“We still don't have a solid strategic and actionable approach to supply chain security,” Todt said. “You've got the things coming out of the Pentagon and all these things, but we're not really looking at it holistically and strategically from a senior level. I'd like to see the national cyber director take this on again in a very actionable way,” she says, referring to a revived role for a cyber “czar” in the White House approved by Congress in late 2020.
Todt thinks two other issues that the new Congress should address are the role of CISA and the continued improvement in election security. CISA has a “very lean and scarce workforce that in May of last year was responsible for protecting the presidential election, securing government and private infrastructure, and responding to a pandemic,” she says.
“While we had success absolutely with the 2020 election, I don’t think we solved the problem. I think what we certainly need to do is to recognise that our election process is the foundation of our democracy, and we have to institutionalise it. I don't think we can be relying on an all-volunteer workforce.”
Security of the Capitol itself will be examined
Another new topic on the legislative agenda might be the Capitol's own cyber security, along with the protection of associated Congressional buildings and all the IT networks that run throughout the legislative branch. At this early stage, it’s still not clear how the mob that broke into the Capitol might have damaged the security of any IT system or hardware devices.
Numerous experts say that one thing is clear: There are IT security implications from the events of January 6 that warrant further investigation and, possibly, mandated changes in how the legislative branch operates.
“If the House were appropriately prepared, which means they had an inventory of all the devices being used for professional purposes and they were able to cross-reference that inventory to determine which devices were missing and then able to wipe those devices clean,” then whatever damage the mob caused would not make us concerned about the theft of property, Todt says.
“Additionally, if every member of Congress and staffer had the appropriate protocols in place about strong passwords, etc., then we shouldn’t have a concern. What I don’t know is if that is actually true.”