U.S. cybersecurity congressional outlook for the rest of 2022

As the 117^th Congress moves into summer, typically the time for legislative doldrums, it’s helpful to look back at recently enacted cybersecurity-related legislation and peer ahead to see what bills could become law before the end of the year. Since the beginning of the current Congress on January 3, 2021, at least 498 pieces of legislation have been introduced that deal in whole or part with cybersecurity.

Of these, only 13 have passed both chambers, and even fewer, nine so far, have become law with a presidential signature. However, many of the most meaningful cybersecurity government actions since this Congress began have stemmed not from legislation but from executive branch actions, most notably through President Biden’s sprawling cybersecurity executive order signed in May 2021.

Noteworthy cybersecurity bills that have become law

The most noteworthy of the bills enacted since our last update on congressional activity in cybersecurity are:

• Cyber Incident Reporting for Critical Infrastructure Act of 2022 passed as part of the giant omnibus spending bill in March and signed by President Biden. That bill rectified what federal agencies have long argued hinders proper cybersecurity incident management, namely the lack of mandated incident reporting. The law requires critical infrastructure entities and federal agencies to report significant cyber incidents and ransomware payments to the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) no later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred. It also requires covered entities to report within 24 hours if they make a ransomware payment. CISA has already started the legwork to get the new reporting rules hammered out under an “aggressive” schedule that will nonetheless span at least two years.
• Better Cybercrimes Metric Act, signed by President Biden on May 5, seeks to improve how the federal government tracks, measures, analyzes and prosecutes cybercrime by developing a taxonomy to categorize different types of cybercrime and cyber-enabled crime. That taxonomy will feed into the National Incident-Based Reporting System to collect cybercrime and cyber-enabled crime reports.
• National Cybersecurity Preparedness Consortium Act of 2021, which was signed into law by President Biden on May 12, allows the DHS to work with one or more consortia composed of nonprofit entities to develop, update, and deliver cybersecurity training in support of homeland security.
• State and Local Government Cybersecurity Act of 2021, passed by both chambers and now awaiting President Biden’s signature, allows federal authorities to conduct cybersecurity exercises with state and local entities, and private companies, providing them with cybersecurity resources. It also expands DHS responsibilities through grants and cooperative agreements, including providing assistance and education related to cyber threat indicators, proactive and defensive measures and cybersecurity technologies, cybersecurity risks and vulnerabilities, incident response and management, analysis, and warnings.

Cybersecurity legislation that could be enacted

Looking ahead, several pieces of cybersecurity legislation seem ripe for enactment.

• Intergovernmental Cybersecurity Information Sharing Act, sponsored by Senator Rob Portman (R-OH), requires the DHS to enter into information-sharing agreements with the Senate and the House of Representatives to support the exchange of information about cybersecurity threats. In addition, under the bill, the DHS must consult with the President’s Executive Office and other executive agencies on the agreements. The Senate Homeland Security Committee voted to move the bill forward in late May. “As we have recently seen, cyberattacks are increasing against our critical infrastructure as well as the federal government. Unfortunately, some of the cybersecurity professionals in Congress have faced lengthy delays in getting information on cybersecurity threats from the Executive Branch. That should not be the case,” Portman, ranking member of the Senate Homeland Security and Governmental Affairs Committee, said.

• DHS Roles and Responsibilities in Cyber Space Act, passed by the House in mid-May and sponsored by Representative Don Bacon (R-NE), in mid-May, requires the DHS to report on its roles and responsibilities and those of its components in responding to cyber incidents. DHS must coordinate with CISA on the report. Bacon said he introduced the bill following the ransomware attacks on Colonial Pipeline and JBS meat processing facilities. “The federal response to these cyber incidents was inadequate and exposed gaps and confusion in how we defend our critical infrastructure,” Bacon said. “It’s clear that our cyber incident response framework must evolve to match the threat.”

• President’s Cup Cybersecurity Competition Act, passed by the House on May 17 and sponsored by Representative Elaine Luria (D-VA), would formalize into law the annual President Cup competition hosted by CISA.
• Cybersecurity Grants for Schools Act of 2022, sponsored by Representative Andrew Garbarino (R-NY) and passed by the House on May 18, allows CISA to award grants or other financial assistance for cybersecurity and infrastructure security education and training programs at the elementary and secondary education levels. States, localities, institutions of higher education, and nonprofits would be eligible for the assistance.

Cyberspace Solarium Commission 2.0’s goals

Mark Montgomery, executive director of the CSC 2.0 Project, the successor to the influential Cyberspace Solarium Commission, shared his thoughts with CSO on what additional cybersecurity legislation he would like to see enacted in this year’s National Defense Authorization Act (NDAA), a late-year legislative vehicle that has often been used to accomplish cybersecurity objectives. His “big four” wish list for the NDAA, based on the original Solarium Commission’s recommendations, are:

• Securing Systemically Important Critical Infrastructure Act, introduced last year by John Katko (R-NY) and Abigail Spanberger (D-VA), would require CISA to identify “systemically important” critical infrastructure most impacting national security, economic stability, and public health and safety. It would also require devising “a private-public compact to establish a minimum level of security for these assets, as well as a third-party testing mechanism and more agile reporting requirements,” Montgomery says. “The participating assets will get increased access to intelligence information, maybe even an opportunity to shape the collection, and most importantly some improved liability protection when they are attacked by malicious cyber actors such as APTs.”
• Cyber Threat Information Collaboration Environment Program (formerly the Joint Collaborative Environment), which, Montgomery says, “directs DHS to develop an information collaboration environment containing technical tools for information analytics and a portal through which relevant parties (government and private sector) submit and automate information inputs and access the environment in order to enable interoperable data flow that enables Federal and non-Federal entities to identify, mitigate, and prevent malicious cyber activity.”
• Bureau of Cyber Statistics Legislation, a Solarium Commission legislative proposal to create a bureau of Cyber Statistics, was proposed last November as part of the Defense of United States Infrastructure Act of 2021, sponsored by Senator Angus King (I-Me). The Bureau would “collect and analyze information concerning cybersecurity, and compile, analyze, and disseminate uniform, anonymized, aggregated national cyber data that will serve as an indication of the prevalence, extent, and attributes of all relevant cyber incidents,” Montgomery says. “It will coordinate with NIST [National Institute of Standards and Technology] to recommend national standards for these cyber statistics. It will also conduct or support research relating to methods of gathering or analyzing cyber statistics.”
• Cyber Diplomacy Act of 2021, sponsored by Representatives Michael McCaul (R-TX) and Jim Langevin (D-RI) was passed by the House in April 2021. Montgomery thinks this bill could be incorporated into funding reauthorization for the State Department as an alternative to the NDAA. It would, Montgomery says, “establish a bureau, reporting directly to secretary or deputy, which coordinates state’s work on cyberspace policy and digital diplomacy to encourage responsible state behavior in cyberspace and advance policies that protect the infrastructure of the internet, serve U.S. interests, promote competitiveness, and uphold democratic values.”