New Report on Cybersecurity Bills in the 117th Congress

Our sister organization, The Cyber Policy Institute, just published its first, but hopefully not last report on federal legislation that deals with cybersecurity. The report, Cybersecurity Bills in the 117th Congress, summarizes the 80 bills submitted or passed by the 117th Congress between January 2021 and January 2022. The bills, several of which were included in the National Defense Authorization Act for Fiscal Year 2022 (NDAA), which was signed into law by President Biden on December 27, 2021, cover a wide range of topics from defense and foreign relations to business, workforce and disaster preparedness.

In terms of breadth and depth, it’s impressive to see how much effort the various members of Congress and committees have put into cybersecurity. There’s a tendency to assume that Congress isn’t doing enough about the country’s cyber vulnerability, but the scope of the legislative agenda says otherwise.

Indeed, the report is already missing one major recent bill, which was passed after the report went to press. the Strengthening American Cybersecurity Act, already dubbed “SACA” by the cyber industrial complex, was spearheaded by leaders of the Homeland Security and Governmental Affairs Committee. The bill was sponsored by Sen. Gary Peters (D-Mich), the committee chairman, and its ranking member, Sen. Rob Portman (R-Ohio). SACA proposed more aggressive incident reporting and proposed to modernize the Federal Information Security Management Act (FISMA).

Of the 80 bills covered in the report, five have been signed into law, 10 have passed one or both houses of Congress, and 32 are still in committees. The bills cover national security and defense, protecting intellectual property, protecting American business, defending critical American infrastructure, developing cybersecurity skills in people both inside and outside the government, protecting children’s welfare and protecting Americans’ privacy.

Prepared by Dr. K.S. Little, a Research Fellow at the Cyber Policy Institute, the report breaks down the massive amount of information in the proposed and passed legislation and explains the relevance and impact of the legislation on each sector.

Industry leaders have been receptive to the report. For example, Tyler Young, Director of Security at Relativity, said, “This report does an excellent job of summarizing the 80 bills that have been submitted or passed by the 117th Congress during the first year of its session and really illuminates the breadth of cybersecurity’s impact across different government departments and committees.”

Marcus Fowler, SVP Strategic Engagements and Threats at Darktrace, remarked, “Given the growing global cyber aggression between and from nation-state and non-nation state actors, policymakers need to accelerate the cyber laws outlined, given the sense of urgency commensurate with the threat, especially with Russia’s actions in Ukraine. These events will spill over, at least in cyber, to the targeting of Western economic stability and will extend beyond any eventual stalemate in the on-the-ground conflict. The priorities should be increasing cyber resourcing of federal, state, tribal, and local institutions, expanding the cyber workforce, and formalizing public-private partnership and reporting procedures.”

Chris Olson, CEO of The Media Trust, shared. “Many of the bills before Congress in 2022 address important cybersecurity issues currently facing consumers, businesses and government organizations at an unprecedented scale. Among these are H.R. 4551 which aims to provide better intelligence on state-sponsored cybersecurity attacks, H.R. 474 which makes strides towards national data privacy legislation, and H.R. 807 which creates new protections for exploited children.”

Olsen added, “Unfortunately, key factors driving cybersecurity risk in the U.S are underrepresented or entirely absent from the bills currently before Congress – particularly digital supply chain vulnerabilities that impact websites and mobile applications. Today, the Web is a borderless entity which lacks protections against the activity of advanced persistent threat (APT) groups and state-sponsored threat actors. This oversight leaves Americans wide open to manipulation and compromise.”

Olsen makes a valid point, one that underscores the difficulty in trying to legislate the country out of its cyber vulnerability. Some issues are structural, such as the “borderless” nature of the Web. Unless laws can deal with that weakness, a great deal of risk exposure remains. In addition, legislation is subject to execution, and as we have seen, this can fall apart despite the best of intentions.

 

To download the report, visit https://cyberpolicyinstitute.org/wp-content/uploads/2022/03/CybersecurityBills-117Congress-final.pdf