Distracted by high-profile developments, gridlocked by partisan resentment, and time-crunched due to the election year, Congress is nevertheless swinging into gear on specific cybersecurity issues, Washington insiders told attendees at Shmoocon 2020 this past weekend. Among the top items that Congress might tackle are new subpoena powers to address critical infrastructure threats, a big-picture policy report, and copyright law exemptions that protect security researchers.
Congressional interest in cybersecurity has escalated over the past decade, the panelists agreed. "Congress members are aware of a challenge. They want to do something to fix it," Nick Leiserson, legislative director to Congressman Jim Langevin (D-RI), a senior member of the House Armed Services and Homeland Security Committees, said. "There is engagement, and that is very important. That is a change that is not where we were ten years ago when my boss was being looked at [oddly] by his colleagues. You know, they were like, 'Here's the tinfoil hat, Jim,'" he said.
Congress took two significant actions on cybersecurity in December. The first was to allocate an additional $425 million to the states for election security as part of the Defense Authorization Act. "Congress has said, 'We recognize this as a problem and said here's some money to do something about it,'" Leiserson said. "It's probably not enough, but it is almost half a billion dollars, which is a significant chunk of change."
The other action Congress took at the end of December as part of the Defense Authorization Act is pass a bipartisan bill to secure the electric grid infrastructure from cyberattacks, establishing a two-year program within the government's national laboratories to devise better protection methods. "Just straight-up security research to help folks understand what the risk posture is in critical infrastructure," Leiserson said.
Finally, also as part of the Defense Authorization Act, Congress passed a provision that requires specific development security metrics for software the Pentagon buys. That data will be reported throughout the Department of Defense and to Congress to bake in more security up front.
Kurt Opsahl, general counsel of the Electronic Frontier Foundation (EFF), thinks things will slow down in 2020 on the cybersecurity election front because it's an election year. We also won't see until September the kind of must-pass legislation such as the Defense Authorization [of 2020] bill, to which complex cybersecurity provisions can be attached. "I think in an election year with many other priorities happening, cybersecurity is something that Congress considers to be important, but a lot of other things are also important," Opsahl said.
Cyberspace Solarium Commission report expected
One cybersecurity action established by Congress in authorizing the Defense Authorization Act in 2019, the establishment of the Cyberspace Solarium Commission, could bear fruit in Congress during 2020. The Solarium Commission is a bipartisan, bicameral commission composed of 14 members, including four executive branch leaders, that have been assigned the task of developing solutions in the complex cybersecurity arena.
The Solarium Commission is expected to issue a report in the next few months that sheds light on what solutions might be applied to the often overwhelmingly difficult dilemmas posed in the digital security arena. "Cybersecurity is hard, and anyone who doesn't recognize that or tells you it's not is either naive, misinformed or trying to sell you something," Leonard Bailey, head of the cybersecurity unit at the Department of Justice, said.
The first report of the Solarium Commission will feature a lot of policy ideas and legislative recommendations, Leiserson said. "I don't necessarily think that we're going to get all of them in an election year and get them passed out of the house before the year-end, but [the report] will hopefully be able to be a fresh infusion of policy ideas."
Administrative subpoenas to identify vulnerabilities
One new cybersecurity policy idea already idea gaining momentum in Congress is the concept of an administrative subpoena, which the Department of Homeland Security (DHS) began advancing last year. Last week, the House Committee on Homeland Security favorably reported H.R. 5680, the Cybersecurity Vulnerability Identification and Notification Act, introduced by Representative Langevin, which grants the Cybersecurity and Infrastructure Security Agency (CISA) administrative subpoena authority to help identify and notify critical infrastructure entities of cybersecurity vulnerabilities on their systems.
As Leiserson explained, now if "DHS sees something on Shodan and they're like, 'Hey, that looks like a dam,' unless there's malicious activity emanating from that IP address, they cannot find out who the owner is," and they've had little luck obtaining subscriber information from ISPs. They can't notify the critical infrastructure operator of a potential threat. "So, we're trying to close that loophole."
In a conversation with CSO, Leiserson said the Senate is expected to mark up a companion bill to the CISA subpoena authorization "soonish." He says he doesn't see any real impediments to the bill's ultimate enactment.
There are, however, attempts to wrap various privacy protections into this bill, DOJ's Bailey said. "There is a time span by which once they get the information, they must reach out and contact the entity that had the vulnerable system," he said. Some provisions require CISA to destroy information unrelated to the critical infrastructure threat that they obtain. "There's some attempt to balance the ability to obtain this new information, this new authority with some of the privacy concerns that typically pop up."
Copyright exemptions for security researchers
Another cybersecurity-related topic on Congress' agenda this year is the triennial review of the exemptions to the anti-circumvention provisions of digital rights management (DRM) provisions of the Digital Millennium Copyright Act (DMCA). That review is slated to occur in 2021, but the process begins in 2020. Several exemptions enable cybersecurity researchers to investigate vulnerabilities without fear of copyright-related lawsuits, including a good-faith security research exemption and exemptions that allow security research on automotive vehicles.
"There may be some chances to expand upon these or add new ones," EFF's Opsahl said. Security researchers need to pay attention to the DMCA exemption process. "Unfortunately, several times we've had circumstances in which someone has done some research, but because of the DMCA anti-circumvention provisions, it created some awkwardness with coming out and presenting that research."
One area where Congress is unlikely to tread further is enacting legislation that provides encryption backdoors that the Trump Administration and Attorney General William Barr have been pushing, Leiserson tells CSO. Last week, Senator Lindsey Graham (R-SC) circulated a draft bill that threatens the tech industry's ability to deploy end-to-end decrypted services. "I've seen it play out a lot. I don't necessarily see that it's so much different this year on the hill. It comes up every once in a while, but I don't think there's necessarily a political coalition on the hill [to weaken encryption]. That's just my reading of the tea leaves," Leiserson says.