Why Congress Is Stuck on Cybersecurity

A jurisdictional morass, minimal technical expertise, perverse intelligence-community incentives, and an apathetic public have all stymied Capitol Hill’s attempts to plug major holes in America’s cybersecurity.

Sen. Ben Sasse (right), accompanied by Sen. John Kennedy, speaks during a Crime and Terrorism subcommittee hearing on Oct. 31, 2017 .
AP Photo/Andrew Harnik
Brendan Bordelon
Add to Briefcase
Brendan Bordelon
March 6, 2018, 8 p.m.

Capitol Hill was repeatedly rocked last year by news concerning two of the worst cyberattacks in American history—the Russian government’s hacking and disinformation campaign to influence the 2016 presidential election, and the theft of nearly 150 million Americans’ sensitive data from credit-rating agency Equifax.

The attacks and their ongoing fallout sparked a series of fist-pounding congressional hearings, along with a deluge of cybersecurity legislation designed to address shortcomings in both the civilian and national security sectors. But as midterm elections loom and lawmakers jockey over fast-evaporating floor time, it’s increasingly clear that Congress is unlikely to pass meaningful cybersecurity provisions before the end of this legislative cycle.

Andrew Howell, a cybersecurity lobbyist at Monument Policy Group, puts those chances at around 10 percent. Howell said he had hoped the sheer magnitude of the Equifax hack would cause lawmakers and business interests to unite on a comprehensive data-breach-notification bill.

“I think if people had wanted to change data-breach rules, they could have turned Equifax into a pivot point,” he said. “But instead they chose to have the same old fight again, and expect a different outcome.”

It’s not just Equifax. Legislation to protect critical infrastructure from cyberattack, to strengthen protections around the “Internet of Things,” to update financial cybersecurity requirements and to bolster the security of election systems have all been proposed and debated during this Congress. And several lawmakers have repeatedly harangued the White House and national-defense agencies to develop a coherent cyberstrategy that prevents and deters the electronic aggression emanating from Russia and other foreign adversaries.

All of those efforts—so far, at least—continue to come up short.

Crafting significant legislation in any policy space is no easy task, particularly in a political climate riven by partisanship. But experts and lawmakers alike believe that when it comes to cybersecurity, a unique confluence of factors has combined to make the issue particularly unmanageable in Congress.

Overlapping committee jurisdiction is perhaps the primary reason why cybersecurity provisions so frequently snarl on Capitol Hill. Issues such as health care, finance, homeland security, energy, commerce, and defense all play into questions on cybersecurity, and the heads of the committees covering those subjects will jealously guard their right to weigh in on proposed legislation.

The result can be an ungainly, time-consuming mess. Industry-focused cybersecurity bills are sent to die in up to a half-dozen committees, while defense cyberstrategy sessions bog down under the weight of too many lawmakers clamoring to be heard.

“It’s one of the major things I would change around here if I could,” said Democratic Rep. Jim Langevin, whose bill to create a national data-breach-notification standard has seen little movement since he introduced it following the Equifax hack last fall.

“I would have one primary committee in charge of cybersecurity, and drastically reduce the number of committees and subcommittees that have some jurisdiction over cyber,” Langevin said. “There’s too many right now, and it really limits our ability to get things done in a timely fashion.”

Sen. Ben Sasse, a Republican member of the Senate Armed Services Committee, echoed that assertion. In a confirmation hearing for the new head of U.S. Cyber Command last week, Sasse voiced his frustration that the White House and Pentagon still have not developed a comprehensive strategy to push back against foreign aggression in cyberspace.

In an interview with National Journal, Sasse said one of the chief reasons for that paralysis is an overstuffed intelligence community—as well as the lawmakers who enable it.

“One of the reasons why we have 17 intelligence agencies—and everybody knows there are too many—is that a whole bunch of jack wagons over here want to maintain all their prerogatives by keeping all their committees,” Sasse said. “We have too many intelligence-community bureaucracies, and we have too many oversight committees. Of course we should be rethinking a lot of that jurisdiction.”

Some experts see a lack of technical expertise as another hurdle. Cybersecurity’s emergence as a major policy arena is still ongoing, and the technology and networks that underpin it continue to shift and evolve. That can make it difficult for industry experts to understand—and near-impossible for those lawmakers who rarely even use the internet.

“I think we’re still behind the curve in terms of getting that expertise about cybersecurity on the Hill,” said Betsy Cooper, a cybersecurity researcher at the University of California (Berkeley). “It’s not due to a lack of interest. It’s just due to a lack of having the same vocabulary and being able to understand what particular pieces of legislation would do in practice.”

Some experts even question whether Congress really wants to increase cybersecurity, at least on the civilian side. American spies and signals analysts need those vulnerabilities in software and hardware in order to surveil foreign targets effectively. If Congress were to close too many of those loopholes, it could limit the intelligence community’s ability to exploit them.

“There’s no way we have many of these offensive capabilities unless operating systems aren’t secure, widespread web-based applications aren’t secure, mobile apps and mobile devices aren’t secure,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation. “We have a fundamentally broken policy.”

Finally, there’s the apathy of the voters themselves. Despite the headlines, there’s not much evidence to indicate that Americans are particularly riled up by Russia’s cybermeddling or ongoing breaches like Equifax. Unlike health care or immigration, there’s no natural constituency for cybersecurity—or at least, it’s a very small constituency.

That dynamic almost certainly makes a difference when lawmakers calculate the risks versus the rewards of pursuing cybersecurity legislation. “It’s hard for members of Congress and their staffers to see this as an issue that’s incredibly urgent,” said Castro.

“Look at the Equifax hack,” Castro added. “If something of that magnitude had happened in Europe, people would be losing their jobs in Congress, and there would be such an outcry. And there isn’t here.”

What We're Following See More »
Kelly Picks New Deputy Chief For Policy
2 hours ago

"White House chief of staff John Kelly has tapped Chris Liddell, a senior White House aide and former executive at Microsoft and General Motors, as his deputy." Prior to his appointment, Kelly had just one deputy: "Joe Hagin, who focuses on the day-to-day operations" in the White House. "Up until now, the White House had not named a deputy chief of staff for policy, though several aides, including [DHS Secretary Kirstjen] Nielsen, had informally played that role."

SCOTUS Denies Death Penalty Review
3 hours ago

The Supreme Court on Monday "rejected a plea to undertake a historic reassessment of the constitutionality of the death penalty nationwide. The court denied certiorari in Hidalgo v. Arizona, which challenged the constitutionality of that state’s death penalty statute but also attacked capital punishment generally 'in light of contemporary standards of decency.'" The Court did not act on another case, Evans v. Mississippi, which would have prompted a broader review of the death penalty. "Justice Stephen Breyer, joined by Justices Ruth Bader Ginsburg, Sonia Sotomayor and Elena Kagan issued a separate statement agreeing that the Hidalgo case should be denied because the record in the case was not fully developed, but hoping a future case would be a better platform for reviewing capital punishment."

Saudi Leader Begins U.S. Visit
3 hours ago

Saudi Crown Prince Mohammad Bin Salman begins his two-week visit to the U.S. this week, meeting with "political and business leaders in Washington, New York, Silicon Valley and elsewhere" in an effort to shore up financial support for his government and rehabilitate its image abroad. "The crown prince employed a similar public relations strategy on a three-day visit to the UK," where he met with "an array of British business and defense leaders." Bin Salman has been widely criticized for his alleged political chicanery in the Gulf, and for Saudi Arabia's devastating air campaign in neighboring Yemen.

Fourth Package Bomb Explodes In Austin
4 hours ago

A fourth package bomb injured two people in Austin on Sunday evening, "which the police chief says was caused by a tripwire and showed 'a different level of skill' than the package bombs used in the three prior attacks." The police are still searching for the perpetrator, and have warned residents to not pick up or approach suspicious packages. Previous explosions, which the police believe are connected, have killed two and wounded several others.

Trump Isn’t Firing Mueller, Lawyer Says
4 hours ago

White House Lawyer Ty Cobb said that President Trump not considering firing special counsel Robert Mueller. Speculation swirled after Trump attacked the investigation on Twitter, and called out Mueller directly for the first time. “In response to media speculation and related questions being posed to the Administration," Cobb said, "...the President is not considering or discussing the firing of the Special Counsel, Robert Mueller." Several members of Congress, "including some top Republicans, warned Trump to not even think about terminating Mueller."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.