Congress Takes Action on Cybersecurity

The National Defense Authorization Act (NDAA) for FY 2021, which passed through Congress this month, includes several provisions that would strengthen the cybersecurity infrastructure of the U.S. The NDAA reestablishes the position of National Cyber Director within the Executive Office of the President and allows the Cybersecurity Infrastructure and Security Agency (CISA) to conduct online threat hunting for federal agencies. CISA could then help federal agencies install information technology that they need.

Aside from cyber provisions included in the NDAA, Congress is also attempting to bolster cybersecurity through independent legislation. The Federal System Incident Response Act, introduced by Senators Gary Peters (D-MI) and Rob Portman (R-OH) last week, would improve government response to cyber-attacks like the one that infiltrated federal agencies just a few days ago. It would improve the Federal Information Security Management Act, or FISMA, to create protocol for how agencies should respond to cyber-attacks and instructions for informing people who were affected.

Senator Portman said of the attack, “This attack shows that the federal government is the constant target of many cyber adversaries. This legislation ensures that those who need to be aware of the impacts of an attack such as the one reported over the weekend are well-informed and able to effectively respond.”

FISMA outlines regulations for how agencies should store and handle sensitive data. The proposed legislation would mandate agency heads to report cyber-attacks and crime to CISA and the Office of Management and Budget and would require agencies to mail physical letters to all those impacted by a breach. Furthermore, the bill encourages information sharing between agencies and requires CISA and the FBI to issue reports to Congress on data breaches.

Senator Peters, as Ranking Member of the Senate Committee on Homeland Security and Government Affairs, is also working to include cyber provisions in the omnibus government spending bill currently under negotiation. An aide said, “Senator Peters is working to include a provision in the omnibus which would make sure that Congress is kept informed when significant cyber-attacks occur on federal agencies.”

Overall, with data breaches becoming more common, Congress has focused more on cybersecurity infrastructure. The appointment of a new cyber director, expanding the role of CISA, and additional cybersecurity legislation are manifestations of this increased focus.

President-elect Joe Biden echoed calls to prioritize cybersecurity this week. President-elect Biden said in a statement, “I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office… We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks.”