What should be next on Congress’ cybersecurity agenda?

The $1 trillion Infrastructure Investment and Jobs Act passed earlier this month includes $1.9 billion for government cybersecurity spending for a range of initiatives, but Congress is weighing many other proposals for cybersecurity regulation with murkier futures. 

Prompted in no small part by the high-profile ransomware attacks on targets like Colonial Pipeline and JBS Foods earlier this year, the past six months have seen a flurry of cybersecurity proposals in Congress. Some are aimed very narrowly at the specific problem of cyberattacks targeting pipeline companies, but what’s striking is how wide-ranging the various proposals under discussion are—and how many of them aren’t clearly linked to remedying a particular security compromise or shoring up a single industry sector.

“There are so many proposals out there that it’s still very much anyone’s guess what the next set of cybersecurity regulations are going to look like,” said University of Minnesota law professor Alan Rozenshtein. 

Congress’s interest in cybersecurity is not new, but that interest has historically been reactive to the headlines: stories about election risks give rise to bills focused on voting system security or reports of Chinese cyberespionage lead to proposals to block trade with foreign firms that steal proprietary business information from breached computer systems. Now,  the policy space seems to have matured enough to the point where enough lawmakers and regulators in Washington have cybersecurity-related bills ready to go that they can seize upon new incidents to introduce a scattershot of proposals. 

For example, there’s a bill to establish a National Cyber Exercise Program to run simulations of cyberattacks and learn from them. Another would focus on government efforts to help secure industrial control systems. Still another would require critical infrastructure operators to report cybersecurity incidents within 72 hours of detecting them. A fourth would create apprenticeship programs within the government to help train workers and veterans in cybersecurity. And there are more than a dozen other bills circulating with related cybersecurity proposals—all of which is good news when it comes to cybersecurity regulation, but also creates a new challenge for the previously relatively under-regulated space: how to decide which legislative priorities to focus on.

The amount of Congressional activity around cybersecurity suggests it might actually be possible to pass legislation right now, but the lack of clear focus and consensus around what that legislation should actually say makes it harder to predict which, if any, of these proposals will actually be able to gain traction. And one of the risks of having so many proposals in play is that it may be increasingly difficult for lawmakers to be able to reach agreements about what the most important cybersecurity priorities are if each one is championing their own bill.

Still, despite this diversity of proposals, most of the bills currently under consideration fall into a few categories: cybersecurity reporting requirements, critical infrastructure protection, workforce development, and funding for state and local governments to shore up cybersecurity efforts across the country. Within each of these categories, the real question is just how ambitious Congress will want to be in who it applies these policies to—will it mandate reporting of cyberattacks for all businesses or just critical infrastructure providers? Will it require everyone to report when they’ve fallen victim to a ransomware attack, or only those who actually decide to pay the ransoms? Will critical infrastructure providers be required to meet baseline security standards established by the government, or just be given the option of receiving more technical assistance and threat intelligence from the Department of Homeland Security? 

As more of the current bills are combined and consolidated, it seems possible—likely, even—that they will become less broad in scope as they are narrowed down to focus on smaller groups of companies and directed more towards voluntary assistance instead of cybersecurity requirements in order to win approval from a larger set of lawmakers. Still, some of the most exciting proposals on the table remain relatively ambitious and lay out some very clear, significant requirements for companies.

For instance, Jeff Kosseff, associate professor of cybersecurity law at the United States Naval Academy, highlighted the Cyber Incident Notification Act of 2021 as “the most important and interesting bill” currently under consideration because of its requirement for federal agencies, contractors, and critical infrastructure operators to report cyber intrusions within 24 hours of detection. 

“Unlike most cybersecurity legislation, it expands coverage beyond merely data breaches, and it focuses on the types of organizations that are the highest priority for national and economic security,” Kosseff said, adding that he’d also like the federal government to pass a national data breach notification law for all industries that preempts the state laws.

Gus Hurwitz, a professor at the Nebraska College of Law, pointed to the related Cyber Incident Reporting for Critical Infrastructure Act of 2021, which sets a 72-hour deadline instead of a 24-hour deadline for reporting incidents, as the most important of the various reporting proposals. Hurwitz also noted that there are several areas related to cybersecurity that he would like to see receive greater attention from Congress, including on-shoring manufacturing and securing the phone network.

Tarah Wheeler, a fellow at Harvard Kennedy School, also emphasized the importance of decisions about how the cybersecurity money allocated in the infrastructure package is spent. For instance, $21 million from that package will go towards establishing the new Office of the National Cyber Director and Wheeler said she hopes that office will focus much of their attention and energy on patch management and forcing government offices and agencies to update their software on a regular basis. “Just because we're bored with the audit cycle and patch management cycle doesn’t make it not the single most important thing we can focus on,” Wheeler said. 

“[National Cyber Director] Chris Inglis should have a website and the only thing it does is post numbers that describe the average time-to-patch for every single government agency,” she added.

For Rozenshtein, the general prescription is pretty straightforward: funding. “I think the government’s top priority should be shoveling massive amounts of money into basic cybersecurity research,” he said. Money can also help with closing the talent gap between the private and public sectors, he added. “If they offer high paid fellowships where they can hire a Google or Apple engineer at the NSA and pay them real money.”

There’s reason to be hopeful that Congress is moving towards investing serious money in cybersecurity and implementing serious policy measures to support that investment. But the US government has been here before: after the Chinese cyberespionage campaigns in 2014, and the Sony Pictures breach, and the Office of Personnel Management breach, and the 2016 election interference, and the Cambridge Analytica scandal—and each time, the determination to take cybersecurity seriously and pass significant regulation has fizzled before any substantive changes were made. 

Even today, part of the challenge may be how little clear consensus there is around what should happen next or what a proactive policy agenda for data and network protection would look like. Without that clearer vision for what regulatory regime we’re working toward, it’s easy to imagine how Congress could give up on this issue yet again before it’s managed to make any real progress.