Today, the U.S. Chamber of Commerce hosted a discussion on potential future U.S. cybersecurity legislation as part of its Now+Next events. The session featured a panel of experts discussing legislative recommendations and proposals as we brace for a presidential election and get ready for a new Congress to be sworn in early next year. We caught up with two experts for their perspective on what to look out for in the coming months just before the event started.
What’s Happening This Fall
There is time before the legislative clock runs out on the current Congress, so there is still an opportunity to pass cybersecurity legislation this session. However, elections loom and a new Congress will be sworn in January 3. To prep for the coming months, we asked Mark Montgomery, executive director for the U.S. Cyberspace Solarium Commission, a bipartisan expert commission appointed by the U.S. government, for his thoughts on potential upcoming cybersecurity legislation.
He highlighted a few areas to watch:
- The creation of an office of “National Cybersecurity Director” (NCD) at the White House to help coordinate cybersecurity policy across agencies and the federal government.
- Further strengthening of the Cybersecurity and Infrastructure Security Agency (CISA), which leads the effort to understand and manage cyber and physical risks to critical infrastructure.
- Legislation detailing ways to enhance public-private partnership and information sharing.
- Legislation enhancing the ability of the federal, state/local governments, and private sector to respond to, and recover from, a major cyberattack.
- Increased guidance or legislation clarifying cybersecurity standards for manufactured objects, also known as the Internet of Things (IoT).
- Legislation clarifying or regulating adequate levels of cybersecurity for Cloud computing facilities.
The Chamber’s engaged with the Hill and the Commission staff on several these issues. Last week, we sent a letter to members of the House and Senate Fiscal Year 2021 National Defense Authorization Act Conference Committee, including expressing support for an NCD, among other priorities.
Perhaps the most vital component is someone in the White House to coordinate cybersecurity responses across multiple agencies.
“We need a National Cyber Director at the White House to properly integrate the national cyber strategy across the federal agencies. So that when you’re looking at the federal government, you’re seeing one clear response and not 35 independently-executed responses by the different agencies,” Montgomery said.
In an interview, Matthew Eggers, vice president for cybersecurity policy at the U.S. Chamber of Commerce agreed that a National Cyber Director could also help bridge the gap between the government and the private sector by simply engaging with businesses and being a single point of contact.
“Businesses need a ‘go-to person,’” Eggers said. “They need somebody from the White House out on the road every day talking to them, saying: ‘How are you doing? What do you need? What can we do together?’”
Montgomery said that CISA would continue to do “the everyday blocking and tackling” of cybersecurity, while working with the National Cyber Director.
Codifying a Collaborative Information Sharing Relationship
Information sharing is another vital area needing more clarity and support. Getting the private sector—whether it’s financial institutions or electric utilities—to share intelligence with relevant government agencies could help enhance cybersecurity for everyone and help minimize any possible disruptions.
“We need to start building the link between the government and private sector,” Montgomery said. “We need to figure out a how to bring that data together in a way that’s acceptable to the private sector and usable by the government, to help look through it to determine trends, attack techniques, indications and warnings. So that we’re more gracefully, efficiently, and persistently sharing information between the private sector and the government about what the advsersaries are up to.”
Enhancing IoT Cybersecurity
Eggers and Montgomery agree that IoT might be a place for public and private action in the coming year. For example, Congress might look into pairing industry-led consensus standards (e.g., NISTIR 8259, ISO/IEC 27402, C2 Consensus on IoT Device Security Baseline Capabilities) currently under development with liability protections for IoT devices.
“There would be a process—NIST and industry would identify a handful of standards for manufacturers to build to—plus liability protection,” Eggers said. “The parameters of a fairly workable approach are there, we just need enough people to see it and push for it.”
Layered Cyber Defense
Legislation helps to create new layers of the country’s defense against a major cyberattack—one so severe it might cripple electricity, the water supply, or other critical infrastructure—should also be a focus of this Congress, Montgomery said.
“We have to have that National Cyber Director as a strong, centralized support to the president and White House. You have to have an empowered, properly-resourced CISA to lead the national risk management and planning and begin the response,” Montgomery said. “You have strategic leadership, support to industry from CISA, the Department of Energy, the Treasury. You have law enforcement support…Separate from this, is action by the National Security Council. There’s lots of moving pieces and we’re trying to improve the defensive aspect of these moving pieces.”
Join the conversation on cybersecurity throughout the rest of the month as the U.S. Chamber continues its Now+Next on vital issues in cybersecurity. You can also download the official report from the Solarium Commission including over 80 recommendations on how to defend the U.S. against cyberattacks.