Bipartisan legislative opportunities and prospective agenda for the 117th Congress and incoming Administration on cybersecurity, data privacy, and IT.
At A Glance
- Cybersecurity is a rare opportunity for bipartisan legislative action.
- Congress will seek to address data privacy, but the fate of a new federal law is uncertain.
- Cybersecurity in corporate supply chains will be a priority for the Biden Administration.
Lay of the Land
During the Trump Administration, any discussion of cybersecurity inevitably became linked to election security and Russian interference in our elections. With Republicans seeking to avoid angering the president, legislative progress was impossible. While some issues will continue to be politically tricky, including privacy and data ownership, removing that dynamic should allow for bipartisan progress on others such as supply chain security and infrastructure investments pressing cybersecurity and IT modernization issues.
While President-elect Biden has not been a particularly vocal and active leader on cybersecurity issues, Vice President-elect Harris has a history of working on these issues and congressional leadership in the cybersecurity space remains intact.
The Cyberspace Solarium Commission report provides a good roadmap for potential action. Implementation of the Department of Defense Cybersecurity Maturity Model Certification process and the Federal Acquisition Security Council (FASC) interim final rule will also bear watching. In addition, modernizing the federal government’s IT infrastructure, the continued rollout of 5G and the security of the Internet of Things will all be issues to watch.
Cybersecurity and the federal IT modernization effort that it requires continue to receive bipartisan support and attention, although certain issues such as privacy and device security generate concerns that do not fall neatly along ideological lines. The key stumbling blocks to progress on cybersecurity policy tend to be funding levels and finding compromise on how proscriptive federal policies should be. Whereas privacy issues tend to unite Republican civil libertarians like Sen. Rand Paul (R-KY) and more liberal members such as Ron Wyden (D-OR) and Ed Markey (D-MA), creating political dynamics that are difficult for Senate leadership to navigate.
- Solarium Commission Recommendations. The Cyberspace Solarium Commission (CSC) was established in the 2019 National Defense Authorization Act (NDAA) to develop recommendations for policymakers on a strategic approach to defending the U.S. against cyberattacks. The CSC published its report earlier this year, and made over 80 recommendations, including over 50 legislative proposals supporting a layered deterrence approach. The report should be considered a roadmap that lawmakers are likely to borrow from in forming legislative proposals to “own” in the cybersecurity space.
- Election Security. Considering the role that President Trump played in blocking improvements to election security, he may, in the end, provide Republicans with the political cover to move forward on process and security enhancements needed to rebuild confidence in our election system. Senate Republicans, at the behest of the White House, refused to consider election security legislation over the past four years because any discussion of needed improvements was viewed by the president as delegitimizing his 2016 campaign victory. Trump’s claims of massive fraud during the 2020 election, however, could bring the parties together on the issue.
- Securing 5G Networks and Internet of Things. As usual, technology infrastructure continues to outpace the legal regimes framing it. The most visible policy debate over 5G to date has been over whether Chinese telecom giant Huawei can participate in the buildout of 5G networks for America and its allies. However, 5G networks present considerable security risks and policy issues beyond the supply chain, including the cost of infrastructure build-outs, data security and privacy standards, not to mention the implications for every existing industry and new technologies that can now (or soon) be brought online.
- Securing Public Sector Cyber Assets. Federal IT systems are woefully outdated, and that is creating cybersecurity vulnerabilities across the entire federal government. The sudden, mass migration to remote work due to the Coronavirus pandemic has only heightened the need to improve the cybersecurity of federal networks.
- Privacy. Congress will likely attempt to negotiate legislation to create federal privacy standards, although the fate and contours of a bill are far from clear. Leadership of the Senate Commerce Committee remain deeply divided over issues of state preemption and liability that will be difficult to navigate.
The incoming administration is likely to give these issues significant attention, if for no other reason than that they will be unavoidable. Both foreign and domestic cybersecurity policy issues will be high priorities. While the president-elect’s limited history on cybersecurity and IT issues, Vice President-elect Harris has strong connections to the tech industry, having built her political career in northern California.
- Supply Chain Security. In its interim rule, published in September and set to take effect on November 30, the Defense Department adopted regulatory changes to its acquisition regulations intended to roll out the Cybersecurity Maturity Model Certification (CMMC) process incrementally until late 2025. After that, CMMC will be required for all non-commercial off-the-shelf acquisitions. On the civilian side, the Federal Acquisition Security Council (FASC) released its strategic plan earlier this year to help federal agencies build supply chain risk management programs for their information and communications technology (ICT). Expect the Biden Administration to continue moving forward on these initiatives.
- Foreign Policy. The Biden Administration will likely be far more aggressive in dealing with cyber-attacks from persons and entities directly or indirectly tied to foreign state actors, particularly Russia. The Administration will also seek to build on some of the successful but under-the-radar efforts of the Trump Administration to enhance our election security infrastructure.