As agencies work on strengthening their cybersecurity postures, filling positions in their security offices and countering both foreign and domestic cyber threats, Congress is simultaneously working to solve some of these systemic issues in both the federal government and with state and local government. At the 2020 RSA Conference, senior staff from both houses of Congress discussed their priorities for the current legislative year and beyond.
The first priority for the Senate Committee on Homeland Security and Governmental Affairs is to mark up and eventually pass legislation that gives CISA administrative subpoena authority to identify and remedy vulnerabilities in critical infrastructure.
“That’s exactly what CISA is supposed to do as our nation’s risk advisor,” said Michelle Woods, director for the Senate Committee on Homeland Security and Governmental Affairs. “We are moving forward with advancing that legislation. It will likely be on one of our next markups to be passed out of our committee.”
The second priority for the committee is to address the cybersecurity workforce issue by closely examining and identifying ways to reduce barriers to cybersecurity professionals working for the government.
“We’re looking at how to make it easier for people to come into and out of government,” said Jeffrey Rothblum, senior staff member on the Senate Committee on Homeland Security and Governmental affairs, “as well as into and out of industry.”
One component of that approach, Rothblum added, is looking to shorten the hiring pipeline to be closer in line with industry’s hiring timeline.
The House Homeland Security Committee is taking a long-term perspective on closing the cybersecurity gap, holding hearings with not just government and industry, but also with academia to build cybersecurity skills at high schools, colleges and universities. There is a focus on diversity, not just in terms of talking to historically black colleges and universities (HBCUs) but also diversity across genders, regions and perspectives, said Majority Staff Director Hope Goins.
The third priority of the committee is to develop a system to know “who’s in charge” with regard to security efforts, Woods said.
“The federal government loves to say ‘whole of government,'” Woods remarked, noting that in Chairman Johnson’s view, this encourages everyone to work together, but can make it unclear who is the “strategic leader.”
On the House side, election security continues to be a focus for the House Homeland Security Committee.
“We still continue to do election oversight,” said Goins, highlighting just one aspect of the committee’s work. “We’ve held hearings … we speak with local election officials, and we have a good relationship with … CISA on this issue.”
The committee’s work on this issue, Goins emphasized, is underpinned by a drive to maintain public trust in elections.
The Senate, too, is focused on supporting public trust, Rothblum said, including countering disinformation both for elections and the 2020 census. This work includes holding hearings with social media companies to understand how they counter disinformation and consider how they might improve those efforts.
“A lot of work we do on the committee isn’t just legislation and advancing policy issues,” Woods said. “We’re conducting oversight [and] we’re looking at the budgets … we can work with the appropriations committees to make sure agencies are getting the resources they need.”
Recognizing that state and local jurisdictions have become new targets for ransomware and other threats and that these jurisdictions are ultimately responsible for conducting elections, both sides of Congress have talked to both these jurisdictions and CISA to develop greater resiliency.
“We have so much buy-in on our state and local legislation,” Goins said, adding that a key component of legislation has been allocating funding for these jurisdictions to implement security measures in both presidential and midterm election years.
“We’ve had a similar hearing to what [the House] did,” Woods added. “On the Senate side, [we’ve added] a state and local coordinator role.”
This coordinator role would help these jurisdictions find vulnerabilities linked to “bad cyber hygiene” and quickly patch them, providing a link between CISA’s risk advisories and state and local implementation.
The committee directors all said they look forward to the release of the Cybersecurity Solarium Commission’s report March 11 as well as subsequent hearings to understand how the commission’s recommendations would change the federal cybersecurity landscape.
“We’re looking for the commission to guide us in regard to our cybersecurity posture,” Woods said.