January 30, 2020

Rebooting Congressional Cybersecurity Oversight

By Carrie Cordero and David Thaw

Introduction

Cybersecurity oversight is due for a reboot. This paper explores the need for refreshed congressional oversight of cybersecurity. After laying out why cybersecurity oversight presents special challenges, this paper suggests that the disparate nature of the cybersecurity policymaking legal framework is mismatched to the nature of the cybersecurity problem, resulting in difficulty legislating in this space. It then provides two key recommendations to guide a congressional cybersecurity oversight reboot.

Cybersecurity is a broad challenge spanning many disciplines and industries. This paper argues that the current “patchwork” legal framework is ill suited to address cybersecurity questions either for legislative oversight or effective policymaking. The paper provides an overview of the nature and scope of the cybersecurity problem, with a focus on how the complexity of the field affects congressional oversight activities. Congress has been conducting a substantial amount of oversight in this area in recent years. Those efforts, however, have not yet resulted in legislative actions that have demonstrably improved national cybersecurity. This paper seeks to aid the effort to craft legal authorities that deal with an increasingly complex set of cyberthreats. This short exposition provides a path to rebooting Congress’ approach to cybersecurity oversight in a way that would allow these issues to be addressed more comprehensively.

Unpacking the Cybersecurity Challenge

Cybersecurity is a complex, integrated challenge spanning topics as diverse as (but not limited to) international affairs, national security and defense, criminal law, civil liability, data protection, privacy and personal responsibility. Cybersecurity also involves many different actors, ranging from governments to companies to organizations to individuals. And it involves virtually every type of computing and information technology in use today, representing a plethora of technologies far more diverse than the personal computers and servers of yesteryear. Thus, perhaps the greatest challenge of developing a comprehensive cybersecurity governance framework is the fact that it is a highly complex problem, pervasive and interrelated across many aspects of government, the private sector, and society.

From a federal government perspective, cybersecurity presents a set of interrelated challenges. Cybersecurity responses to malign cyber activities of hostile nation-states cannot be resolved the same way traditional kinetic defense threats would be handled. For example, cybersecurity cannot just be handed off to one agency, such as the Department of Defense (DoD) or the Department of Homeland Security (DHS). Although those departments play important roles, neither can—as a result of limits on legal authorities and their appropriate roles and responsibilities—address the problem comprehensively.

The current “patchwork” legal framework is ill suited to address cybersecurity questions either for legislative oversight or effective policymaking.

Most commonly, the term cybersecurity refers to some type of defensive technical security problem. Its meaning varies both descriptively and normatively across industrial sectors, types of actors, and disciplinary backgrounds. In reality, however, cybersecurity problems generally describe only one piece of a complex puzzle. The lack of a framework for defining these issues diminishes the ability of policymakers to create policy that adequately addresses the full spectrum of cybersecurity problems. This spectrum is broad and is not limited to traditional defensive boundaries. It includes strategic and adversarial planning and operations, spanning parties from private sector targets to law enforcement to military operations. In a fully internetworked world of connected appliances, vehicles, Internet of Things devices, and mobile devices, holistic consideration of cybersecurity questions is necessary. This discussion takes an expansive view of the elements that impact “cybersecurity”—ranging from technical aspects of system security to principles of international law in the context of armed conflict. This wide view is unified by the theme of efforts to improve the health of the U.S. information and computing infrastructure as an empirical matter, agnostic of any particular normative policy prescription of consumer protection, economic policy, or related issues.

The technological aspects of cybersecurity further complicate this problem in two ways. First, they create a degree of opacity for non-technologists in understanding key elements of the problem. Second, the highly technical nature of cybersecurity lends itself to the false belief that technical measures can provide complete solutions. Nothing could be further from the truth. Indeed, solutions focusing on technological “silver bullets” often are beneficial to adversaries because of the false sense of security they provide. Many of the most effective methods of “hacking” often rely on human vectors. Just as a technological perimeter is an infeasible system in an interconnected world, a cyber border defended by the Armed Forces is impractical.

Current Framework of Cybersecurity Law

A body of disparate law governing cybersecurity has arisen over the past several decades. While this disparate patchwork includes significant amounts of state, foreign, and international law, Congress has been reluctant to address cybersecurity law comprehensively. The lack of a coordinated policy framework both encourages additional “patchwork” policymaking and further complicates interactions with those federal laws that do exist. The result is a complex, disorganized system that substantially advantages adversaries seeking to find “cracks” to exploit. Accordingly, to understand Congress’ oversight role, it is useful to group cybersecurity law into the domains to which various policy frameworks apply. Cybersecurity law can roughly be divided into two overarching categories: the law directed at government entities and the law directed at nongovernmental entities or activities.

The lack of a coordinated policy framework both encourages additional “patchwork” policymaking and further complicates interactions with those federal laws that do exist.

Cybersecurity Law Directed at Government Entities

Cybersecurity law directed at government entities refers to laws that regulate the activities of the federal government as an actor. This includes activities related to the establishment and direction of government cybersecurity action protecting national defense, creation of federal cybersecurity agencies, providing for federal government information security practices, providing a framework for law enforcement to combat cybercrime, and associated areas of international law. Cybersecurity law directed at nongovernment entities and activities, by contrast, includes laws that primarily regulate the activities of actors other than the government.

Discussions of defensive cybersecurity often look to the DoD to protect U.S. national security. This view overestimates the legal authority of DoD and underestimates the technological aspects of defensive cybersecurity. Over a century of precedent suggests the Posse Comitatus Act substantially limits the ability of DoD to act outside the scope of its own infrastructure during peacetime. While DoD has taken steps to address this gap from a policy perspective—such as the development of the 2018 Cyber Strategy, which provides for DoD’s role in defending against certain malign cyberactivity—the scope of DoD’s ability to act domestically to prevent substantial harm from cyberattack is limited. Even were such limitations modified or removed, a virtual firewall at the U.S. border would be of limited (if any) effect. The state of global commerce and the architecture of the public Internet—which largely ignores political borders—makes border security on the public Internet impractical. A view that cybersecurity problems can be managed within DoD is insufficient, both legally and technologically.

A view that cybersecurity problems can be managed within DoD is insufficient, both legally and technologically.

Another common area of discussion for defensive cybersecurity is criminal law enforcement. The enforcement of civilian cybercrime law primarily rests with the Department of Justice (DoJ), with support from DHS and the Department of Commerce (DoC). DoJ plays the lead investigative and prosecutorial role, whereas DHS works to coordinate efforts and provide technical and policy expertise both to other non-military governmental entities and to civilian organizations. Both departments and their constituent agencies coordinate, explicitly or implicitly, with the DoC’s National Institute of Standards and Technology, which maintains one of the largest repositories of expertise on computer science and computer security. The legal authorities for these activities range from the enabling statutes for the agencies themselves to the general federal computer crimes law to executive directives, and from traditional criminal investigation and enforcement to support for organizations experiencing or at risk of cyberattacks. Information sharing, increasingly the subject of legislative activity in the early 2010s, also falls within this category. There is neither statutorily required coordination nor organized congressional oversight of this wide range of activities.

Cybersecurity Law Directed at Nongovernmental Entities

Cybersecurity legal and policy regimes directed at nongovernmental entities have been in place for decades, drawing from information security and privacy law frameworks and regulations. They focus primarily on the regulation of private actors’ interactions with one another and the extent to which those interactions may impact the overall cybersecurity ecosystem. Such regimes usually comprise two categories, sector-specific regulation and generally applicable regulation. In addition to this distinction, nongovernmental cybersecurity regimes sometimes distinguish between consumer protection laws (primarily aimed at protecting users and their data) and infrastructure protection laws (primarily aimed at protecting systems and infrastructure). The two approaches are, of course, not mutually exclusive. Sector-specific regulation at the federal level most notably includes regulation of the healthcare and finance industries. The regulatory regimes for these two sectors are similar, both employing flexible styles of process-based standards regulation. Under this type of regulation, organizations are required to conduct cybersecurity risk assessments, develop plans reasonably responsive to those assessments, and follow and maintain those plans. While regulations vary across the industries, in general the foci of these regimes are both protecting infrastructure and protecting users and data.

General regulation at the federal level is substantially patchwork and overwhelmingly conducted through the unfair and deceptive trade practices authority of the Federal Trade Commission (FTC). There is debate as to the proper role of the FTC, including whether the commission’s current statutory expertise (consumer protection and antitrust) should be extended specifically to include cybersecurity. The FTC generally lacks practical rulemaking authority as pertains to cybersecurity and data protection, and it conducts its enforcement nearly exclusively through adjudicatory enforcement actions. The past two decades have seen a substantial expansion of FTC activity in this area through the adjudicatory process. Congress has previously conducted oversight and reform activities in the face of expanding FTC activity, but has not legislatively addressed FTC expansion into cybersecurity under its unfair and deceptive practices enforcement. For over a decade, regulatory agencies such as the FTC and Department of Health and Human Services have imposed regulatory fines and other penalties on companies for failure to adhere to sufficient cybersecurity practices. Congress should explore whether those fines or other regulatory enforcement actions are actually providing significant incentive to change corporate behavior, as well as resourcing of and attention to cybersecurity requirements before an incident occurs. More recently, the Securities and Exchange Commission has also explored whether it can or should have a more substantial role in regulating private sector entities under its jurisdiction.

Regulation at the state level comprises a combination of variations on the federal regimes, as well as state data breach notification statutes. State-level data breach notification laws are generally similar across states in that they require entities to notify consumers whose information was disclosed during a data breach, when the data describing the consumer includes an identifier (usually the consumer’s name) associated with sensitive information (usually Social Security number, other government identification number, or financial account number). While general breach notification law does not exist at the federal level, it has been considered by Congress from time to time.

In recent years, information sharing has become a topic of much policy and legislative attention. In 2015, Congress passed the Cybersecurity Information Sharing Act (2015 CISA), which, among other things, provided a liability shield to qualifying private actors, such as those who participated in the newly revised information-sharing program administered by DHS and DoJ. Information sharing was, at the time, viewed by private industry actors as an important step for improving cybersecurity practices and defensive measures. The 2015 CISA received substantial support from private industry, in large part because of the private sector’s desire to have a liability shield against exposure to tort and/or regulatory liability for information about their systems and activities contained in shared information. Privacy and data protection advocates expressed substantial concerns regarding the legislation.

Information sharing–related legislative initiatives, have, in recent years, become the most visible and engaged area of legislative cybersecurity activity. In hindsight, however, the promises of information sharing have not been demonstrated to produce substantial changes in the defensive and deterrence landscape of cybersecurity for private organizations. Systems continue to be compromised with problematic frequency, and adversaries and bad actors continue to discover and exploit vulnerabilities. In this regard, the attention given to information sharing over the past decade was likely disproportionate to the promise such legislation and activities held for making meaningful improvement in the nation’s cybersecurity footing.

It is difficult to prove that cybersecurity measures have (or have not) been successful at macro scale. This is in part because of the classic challenges involved in proving a negative. The measure of cybersecurity effectiveness is likely commensurate with the absence of malign cyberactivity, and there does not appear to be a reliable assessment of data that proves whether cyberattacks are on the rise or on the decline. There are substantial challenges of identifying dependent variables with which to measure cybersecurity incidence, and of distinguishing the impact of any one or few change(s) given the overall complexity of cybersecurity at scale. These difficulties also note the importance of efforts to develop or improve metrics to evaluate the efficacy of cybersecurity measures. As R Street’s Paul Rosenzweig has noted, “There are no universally recognized, generally accepted metrics by which to measure and describe cybersecurity improvements …. As a result, decision-makers (whether they be corporate boards, government officials or individual users) are left to make choices about cybersecurity implementation based on qualitative measures rather than quantitative ones.” On this issue, exploring mechanisms to measure the effectiveness of cybersecurity activities is a worthwhile endeavor.

The measure of cybersecurity effectiveness is likely commensurate with the absence of malign cyberactivity, and there does not appear to be a reliable assessment of data that proves whether cyberattacks are on the rise or on the decline.

Measuring cybersecurity, however, will be an incomplete endeavor if it is not supported by data. To date, a full set of data is not available because nongovernmental entities are not required to provide the federal government with information about significant data breaches, which is one metric indicating the success or failure of cybersecurity efforts. Accordingly, efforts to quantify cybersecurity effectiveness should take into account proposals to incentivize nongovernmental entities to provide information to the government or an independent entity that can collate reliable data about the extent of cybersecurity incidents and breaches.

Measuring cybersecurity, however, will be an incomplete endeavor if it is not supported by data.

For the reasons described above—most notably the continued public and market dissatisfaction with the state of cybersecurity—the information-sharing efforts of the past decade have not been as consequential as perhaps expected by the sustained effort to obtain legislation. This is, of course, not to say that information sharing is unhelpful, nor that it does not have a useful role in an overall strategy. Rather, it is better considered as part of an overall strategy that includes, as an important component, evaluative metrics and frameworks. As with the other areas of cybersecurity regulation discussed above, the absence of a coordinated strategy highlights the limits of individual solutions and the need for comprehensive oversight and reform by Congress.

Recent Cybersecurity Congressional Oversight & Proposal for Interim Steps

The Patchwork Mismatch

Currently, existing laws, executive structure, and congressional oversight mechanisms are a mismatch for the nature of the cybersecurity challenges presented by a complex, technologically integrated society. Existing mechanisms for congressional cybersecurity oversight are likewise disjointed and uncoordinated. Unlike in many other policy areas, there is no one clear committee or clear set of committees responsible for cybersecurity issues. These are divided among many committees in both the House of Representatives and the Senate, often along historical lines that may not match current expertise. The Judiciary committees often encounter cybersecurity issues in the context of surveillance, cybercrime enforcement, and privacy issues. The Armed Services committees are called upon to consider cybersecurity issues when evaluating legislation concerning offensive and defensive cyber capabilities, which are part of the government’s response to counter hostile cyber activities by foreign nation-states. The Intelligence committees engage on cybersecurity activities most recently from the perspective of protecting electoral system infrastructure from foreign influence and malign cyber activities related to foreign interference in democratic processes. And the Homeland Security committees are heavily involved in cybersecurity oversight due to the critical cybersecurity functions that DHS provides in securing the federal government’s civilian networks and in coordinating information sharing between government entities and the private sector. The lack of a coordinating function among these committees limits Congress’ ability to obtain a comprehensive picture of the cybersecurity problem, particularly when these committees advance legislation solely from their own jurisdictions.

To develop a successful cybersecurity approach, Congress must first be able to obtain a comprehensive picture of the problem. This is challenging, and not just because of the lack of committee coordination. The complex nature of the problem itself, previously illustrated, requires gathering information about the interaction of a large set of actors, economic sectors, and government departments. How would increased organized criminal investigative activities impact the incentives of potential nation-state actors? How would the responses by those foreign actors alter the availability of malicious tools and code to third parties targeting private organizations and individuals? How might proposals to legalize “hacking back” affect adversaries’ incentives to engage in false-flag operations? These are complicated questions spanning many different areas yet attempts to address any one area impact nearly all others. This is no easy challenge for Congress, made worse by the fact that it is happening in real time, and pressure to act is growing on executive agencies Congress must oversee.

To develop a successful cybersecurity approach, Congress must first be able to get a comprehensive picture of the problem.

Since January 2019, in the 116th Congress, there have been at least 13 hearings involving cybersecurity topics. These 13 hearings have been conducted by seven different congressional committees, including three committees in the House of Representatives and four committees in the Senate. From January 2017 to December 2018, in the 115th Congress, there were at least 56 hearings involving cybersecurity topics. These 56 hearings were conducted by 17 different congressional committees, including eight committees in the House of Representatives and seven committees in the Senate. (See Appendix A for a list of these hearings.) Meanwhile, specific members of Congress have launched the Cyberspace Solarium Commission, mandated by the 2019 National Defense Authorization Act and comprised of members from both chambers of Congress, as well as outside experts. The commission is charged with “evaluating divergent approaches to defending the United States in cyberspace and driving consensus toward a comprehensive strategy.” The commission’s recommendations for developing this strategy are scheduled to be delivered in a 2020 report.

The lack of committee coordination is only one aspect of the problem, however. There are many different aspects to the cybersecurity problem, most of which are interrelated and equally vulnerable to adversaries who seek to compromise U.S. systems. In other words, attackers don’t care how they get in—only that they do. Their mechanisms do not neatly (or even weakly) follow committee jurisdiction. While the disjointed committee patchwork could be interpreted as an argument for intelligence oversight–style reform of congressional committee structure, this is as deceptively incomplete an answer as is the myth of information sharing or effective increased deterrence through criminal penalty. Because it is precisely the patchwork nature of the problem—which spans questions in national defense, law enforcement, agriculture, energy, transportation, finance, healthcare, manufacturing, consumer protection, and a host of other areas—that makes uncoordinated oversight and legislation challenging at best. At worst, it runs the risk of benefiting adversaries by promoting a false sense of security when problems are addressed in one area at the expense of ignoring another.

Interim Steps

While this paper does not make long-term recommendations, the patchwork mismatch discussed in this section does suggest two key interim steps that could be implemented this year and next.

First, as it pertains to cybersecurity oversight and legislation, in 2020, Congress should focus particular attention on the most urgent of priorities: the cybersecurity of the 2020 election, and whether there is an urgent legislative gap or authority that would significantly aid the executive branch in combating foreign nation-state cyberattacks against the United States or U.S. interests election infrastructure and democratic institutions. An example of this type of immediate legislative activity would be a provision as was added to the 2019 National Defense Authorization Act, which affirmatively authorized the DoD to take action in response to election interference by China, Russia, North Korea, or Iran. An additional consideration relevant to 2020 election integrity would be what transparency requirements can be legislated promptly to mandate that the government more effectively communicate cybersecurity threats and risks—including threats to electoral systems and democratic processes—to Congress, civil society and the public. The federal government waited too long—October 2016—to inform the public at large that a serious national security threat existed as it related to Russian efforts to interfere in the 2016 election. That mistake should not be repeated, and it likely requires legislation to ensure that it is not.

Second, the most prevalent oversight shortcoming is the lack of congressional coordination focused on cybersecurity. Thus, we recommend the establishment of an interim joint select committee to begin work in the 117th Congress, which will commence in January 2021. Ideally, this would take the form of a joint select committee with combined House and Senate membership, and equal numbers from each political party. A select committee could be charged not only with initiating direct inquiries, but also with coordinating the activities of other committees that relate to cybersecurity issues. The committee, in addition to coordinating across both chambers, could be charged with producing specific reports or proposed legislation by a given deadline. We propose that this committee be a true “select” committee—one with a short-term duration to tackle a specific problem, not a “select” committee that becomes a de facto permanent one (like the intelligence committees). Although not a joint committee, the model set by the House Select Committee on the Modernization of Congress appears to be one of bipartisanship and success in staying on task with visible progress toward its mandate. Moreover, the select committee can pick up on the forthcoming recommendations provided by the report of the Cyberspace Solarium Commission to ensure that the baton is not dropped after their work concludes. Finally, the limited duration of such a select committee could create some political accountability with the election of the 118th Congress. By charging it to create recommendations to be implemented for the 118th, and given the high-profile nature of cybersecurity issues, voter willingness to hold members accountable for failures to act is a plausible motivation for such a committee to produce recommendations in a finite time frame.

We recommend the establishment of an interim joint select committee to begin work in the 117th Congress, which will commence in January 2021.

Conclusion

Although cybersecurity presents numerous challenges to crafting effective legislation that significantly improves the nation’s cybersecurity posture, the current environment demands more work in this legislative space. Having framed the cybersecurity legal framework roughly into the categories of law directed at government entities, which is underdeveloped; and law directed at non-government entities, which is fragmented, we propose renewed congressional attention to debate and legislation in the cybersecurity arena. In the short term, those efforts should include both immediate attention to 2020 election integrity and security, and, next year, the creation of a short-term, select committee to address cybersecurity legislative proposals in a comprehensive manner.

Note for acknowledgment: The authors thank Bobby Chesney, Carrie Gardner, Gus Hurwitz, Jeff Kosseff, Paul Mazzucco, Martijn Rasser, and Loren DeJonge Schulman for their helpful exchange of ideas on the issues discussed in this paper and feedback on earlier drafts of this paper. We are also grateful for research assistance from Marta San José Marin, and for the editing and publications expertise of Maura McCarthy and Melody Cook, as well as essential copyediting of Jennifer Rubio. This paper is part of a CNAS series on congressional intelligence oversight made possible by the generous support of The William and Flora Hewlett Foundation.

  1. Jeff Kosseff, “Defining Cybersecurity Law,” Iowa Law Review, 103 no. 3 (March 2018), 985.
  2. See, e.g., Derek Bambauer, “Privacy vs. Security,” J. Crim. L. & Criminology, 103 no. 3 (2013), 667 (arguing that “security” and “privacy” are not opposite ends of a spectrum but rather differing axes of consideration in law, technology, and policymaking).
  3. Donie O’Sullivan, “We asked a hacker to try and steal a CNN tech reporter’s data. Here’s what happened,” CNN.com, October 18, 2019, https://www.cnn.com/2019/10/18/tech/reporter-hack/index.html.
  4. See Eric Roberts, “Why the Great Firewall of China is Effective,” https://cs.stanford.edu/people/eroberts/cs181/projects/international-freedom-of-info/china_3.html (asserting that “The firewall is easy enough to bypass with encrypted web traffic and virtual private networks …. Additionally, the Firewall will not prevent a determined individual from visiting a website he wants to visit ….”). See also Chao Tang, In-depth analysis of the Great Firewall of China, Dec. 14, 2016, https://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf (noting that while some advanced techniques can limit the effectiveness of VPNs, “onion routing” (Tor), and similar technologies, the “Great Firewall” remains largely permeable to technologically sophisticated users).
  5. Many industry professionals and experts have observed that this lack of coordination complicates compliance, which may draw resources away from substantive defensive efforts to manage compliance with uncoordinated but concurrently applicable state and/or federal regimes.
  6. Derek Bambauer, Justin “Gus” Hurwitz, David Thaw, and Charlotte Tschider, Cybersecurity: An Interdisciplinary Approach (West Academic Press, forthcoming 2021).
  7. National defense–related activities are notably cabined by the Posse Comitatus Act of 1878, which restricts the use of federal military authority to enforce domestic law. The annual National Defense Authorization Act (NDAA) has also been used for authorizing cyber related defense activities.
  8. Cybersecurity and Infrastructure Security Agency, www.cisa.gov, created by Public Law 115-278, Cybersecurity and Infrastructure Security Agency Act of 2018, November 13, 2018.
  9. 44 U.S.C. § 3541 et seq., Federal Information Security Management Act of 2002 (enacted as Title III of Public Law 107-347, E-Government Act of 2002).
  10. Public Law 99-474, Computer Fraud and Abuse Act of 1986 (codified as amended at 18 U.S.C. § 1030) (amending 18 U.S.C. § 1030 passed as part of the Comprehensive Crime Control Act of 1984). The 1986 version introduced substantial changes that form the primary framework of federal computer crime law remaining in place today. See Orin S. Kerr, “Cybercrime’s Scope,” N.Y.U. L. Rev. 78 no. 5 (November 2003), 1596.
  11. See generally Michael Schmitt, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press, 2017). Note also the various foreign laws with extraterritorial application, such as the European General Data Protection Regulation (“GDPR”) (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, https://eur-lex.europa.eu/eli/reg/2016/679/oj).
  12. Civilian criminal law is included with “governmental cybersecurity law” because it regulates the relationship of individuals with the government. This is distinguished from other (civil) regulatory regimes that regulate the relationship of nongovernment actors with one another, as opposed to with the government.
  13. It is worth noting that there is some debate on this point within the context of cybersecurity and cyberoperations. As recently as the 2019 National Defense Authorization Act, Congress examined steps to clarify the scope of authority for certain cyberoperations – suggesting a prior lack of clarity. Robert Chesney, “New Authorities for Military Cyber Operations and Surveillance, Including TMA?” Lawfare, June 27, 2018, https://www.lawfareblog.com/new-authorities-military-cyber-operations-and-surveillance-including-tma; Robert Chesney, “The Law of Military Cyber Operations and the New NDAA,” Lawfare, July 26, 2018, https://www.lawfareblog.com/law-military-cyber-operations-and-new-ndaa.
  14. “Summary, Department of Defense Cyber Strategy 2018,” https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.
  15. For a review of U.S. perspectives on the role of the federal government, and more specifically the Department of Defense, in defending “critical national infrastructure,” see Scott J. Schackelford and Amanda N. Craig, “Beyond the New Digital Divide: Analyzing the Evolving Role of National Governments in Internet Governance and Enhancing Cybersecurity,” 50 Stan. J. Int’l L. 119, 144-51 (2014). See also generally Mark R. Schonberg and Brian H. Nussbaum, “Defining the DOD Role in National Cybersecurity,” U.S. Army War College Master’s Thesis (2013), https://apps.dtic.mil/dtic/tr/fulltext/u2/a590756.pdf.
  16. See, e.g., Homeland Security Act of 2002 (as amended).
  17. See generally 18 U.S.C. § 1030 (Computer Fraud and Abuse Act of 1986).
  18. See, e.g., Executive Orders 13800, 13636, and 13781, https://www.federalregister.gov/presidential-documents/executive-orders; Presidential Policy Directive 21, https://www.dhs.gov/sites/default/files/publications/ISC-PPD-21-Implementation-White-Paper-2015-508.pdf; Presidential Policy Directive 41, https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident.
  19. Presidential Policy Directive 41 does reference some coordinative structure; however, as with all executive directives, it is limited in scope as to what does not conflict with statute and can be changed at any time by the then-current-President. Thus, such mechanisms are not an exemption from the need for congressional action and oversight – quite the contrary, in fact, they most likely suggest a need for congressional involvement.
  20. Public Law No. 104-191, Health Insurance Portability and Accountability Act of 1996, August 21, 1996; 110 Stat. 1936, Health Coverage Availability and Affordability Act of 1996 (codified in scattered sections of 26 U.S.C., 29 U.S.C., and 42 U.S.C.), August 21, 1996; 45 C.F.R. §§ 164.102–.534 (2013) (the numerous regulations referred to collectively as the HIPAA Security Rule).
  21. Public Law No. 106-102, Gramm-Leach-Bliley Financial Modernization Act (GLBA), Nov. 12, 1999; 113 Stat. 1338, ATM Fee Reform Act of 1999 (codified as amended in scattered sections of 12 U.S.C., 15 U.S.C., 16 U.S.C., 18 U.S.C., and 29 U.S.C.), Nov. 12, 1999; 16 C.F.R. § 314, Standards for Safeguarding Customer Information, 2013; 70 Fed. Reg. 15736-01, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (codified at scattered sections of 12 C.F.R. pt. 30), March 29, 2005 (collectively implementing the regulations from various agencies implementing the information security requirements of GLBA).
  22. These are prominent examples. Industry-specific regulation also includes examples from defense-related sectors, energy, transportation, and others.
  23. Daniel J. Solove and Woodrow Hartzog, “The FTC and the New Common Law of Privacy,” Colum. L. Rev. 114 no. 3 (January 2011), 583, https://www.columbialawreview.org/wp-content/uploads/2016/04/Solove-Hartzog.pdf.
  24. The FTC has attempted to develop some such expertise itself; however, this is not pursuant to express congressional delegation. Some have argued the current commission is backing off this approach. See, e.g., Justin “Gus” Hurwitz, “Data Security and the FTC’s UnCommon Law,” Iowa L. Rev. 101 no. 3 (March 2016), 955; William McGeveran, “The Duty of Data Security,” Minn. L. Rev. 103 no. 13 (2019), 1135. See also Federal Trade Commission, Hearings on Competition and Consumer Protection in the 21st Century, Hearing #9: Data Security, Dec. 11–12, 2018, https://www.ftc.gov/news-events/events-calendar/ftc-hearing-competition-consumer-protection-21st-century-december-2018.
  25. Some have argued that this adjudication forms a de facto set of regulations similar to the common law; however, others have argued such an approach is outside the agency’s authority (Solove and Hartzog, “The FTC and the New Common Law of Privacy”; Hurwitz, “Data Security and the FTC’s UnCommon Law). The courts have not addressed this issue directly. In any event, ad hoc adjudication is a responsive, slow, and deeply inferior practice to coordinated policymaking and represents an example of the imperative for congressional oversight.
  26. 103 F.T.C. 110, 174, “FTC Policy Statement on Deception” (1983), https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf; 104 F.T.C. 949, 1070, “FTC Policy Statement on Unfairness” (1980), https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness.
  27. See Daniel J. Solove and Woodrow Hartzog, "The FTC and the New Common Law of Privacy," 114 Colum. L. Rev. 584 (2014), see also Justin (Gus) Hurwitz, "Data Security and the FTC's UnCommon Law," 101 Iowa L. Rev. 955 (2016).
  28. Jay Clayton, Chairman of the U.S. Securities and Exchange Commission, “Oversight of the US Securities and Exchange Commission: Enterprise Risk and Cybersecurity,” statement to Committee on Banking, Housing, & Urban Affairs, U.S. Senate, Dec. 11, 2018, https://www.sec.gov/news/testimony/testimony-oversight-us-securities-and-exchange-commission-0.
  29. Except as provided under HIPAA.
  30. “(Another) Federal Data Breach Law Introduced in Congress,” National Law Journal, December 18, 2017, https://www.natlawreview.com/article/another-federal-data-breach-notification-law-introduced-congress.
  31. Not to be confused with the Cybersecurity Infrastructure Security Agency Act of 2018, which created the Cybersecurity Infrastructure Security Agency within the Department of Homeland Security.
  32. Public Law 114-113, Cybersecurity Information Sharing Act of 2015 (CISA), 2015, Section 106 (incorporated as amended into the Consolidated Appropriations Act of 2016).
  33. Cory Bennett, “Breaches Prompt Lobbying Surge Behind Cyber Bill,” The Hill, May 5, 2015, https://thehill.com/policy/cybersecurity/241023-breaches-prompt-lobbying-surge-behind-cyber-bill.
  34. See, e.g., Lee Tien, “DHS Agrees with EFF: Senate’s CISA ‘Cybersecurity’ Bill Will Damage Privacy,” Electronic Frontier Foundation, August 5, 2015, https://www.eff.org/deeplinks/2015/08/dhs-agrees-eff-senates-cisa-cybersecurity-bill-will-damage-privacy. See also, e.g., Jadzia Butler and Greg Nojeim, “Cybersecurity Information Sharing In the ‘Ominous’ Budget Bill: A Setback for Privacy,” Center for Democracy & Technology, Dec. 17, 2015, https://cdt.org/insights/cybersecurity-information-sharing-in-the-ominous-budget-bill-a-setback-for-privacy/.
  35. This likely was, at least in part, a result of the fact that substantial amounts of information sharing already were occurring within the context of the Information Sharing and Analysis Centers (ISACs) under the authority of Presidential Decision Directive 63 (PDD-63), 1998. Of note, PDD-63 was implemented before the formation of the Department of Homeland Security.
  36. See, generally, David Thaw, “The Efficacy of Cybersecurity Regulation, Ga. St. U. L. Rev. 30 no. 2 (Winter 2013), 287. See also David Thaw, “Characterizing, Classifying, and Understanding Information Security Laws and Regulations: Considerations for Policymakers and Organizations Protecting Sensitive Information Assets” (Ph.D. dissertation, University of California, Berkeley) (on file with the University of California), (Spring 2011).
  37. See Paul Rosenzweig, “Preliminary Observations on the Utility of Measuring Cybersecurity,” Lawfare, August 6, 2019, https://www.lawfareblog.com/preliminary-observations-utility-measuring-cybersecurity; Robert S. Taylor, “How to Measure Cybersecurity,” Lawfare, August 26, 2019, https://www.lawfareblog.com/how-measure-cybersecurity.
  38. Kathryn Waldron, Resources for Measuring Cybersecurity (R Street Institute, October 2019), https://www.rstreet.org/wp-content/uploads/2019/10/Final-Cyberbibliography-2019.pdf.
  39. This problem continues: Just about one month before publication of this paper, Congress held hearings considering various federal privacy bills. These bills, however, failed to adequately consider the interrelationships with cybersecurity issues. See Jeff Kosseff, “Congress Is Finally Tackling Privacy! Now Let’s Do Cybersecurity,” Slate, Dec. 3, 2019, https://slate.com/technology/2019/12/congress-national-privacy-law-cybersecurity.html.
  40. Sen. Angus King and Rep. Mike Gallagher, “Announcing the Cyberspace Solarium Commission,” Lawfare, August 19, 2019, https://www.lawfareblog.com/announcing-cyberspace-solarium-commission.
  41. On September 26, 2019, Acting DNI Joseph Maguire testified before the House Intelligence Committee that, in his judgment, the most pressing national security threat was the integrity of elections. Joseph Maguire, Acting Director of National Intelligence, testimony to the Permanent Select Committee on Intelligence, U.S. House of Representatives, Sept. 26, 2019, https://docs.house.gov/meetings/IG/IG00/20190926/110027/HHRG-116-IG00-Transcript-20190926.pdf.
  42. Public Law 115-232, National Defense Authorization Act for Fiscal Year 2019, August 13, 2018, Section 1642.
  43. A legislative option Congress could consider would be to include a reporting requirement requiring that substantial intelligence indicating foreign threats to 2020 election are underway shall be reported by the Director of National Intelligence to the intelligence committees promptly. It is then the responsibility of the intelligence committees, working with the executive branch, to ensure that the remainder of Congress and/or the public, when appropriate, are informed of the malign activities. For a discussion of the intelligence committees’ informing function, see Carrie Cordero, “Enhancing Congressional Intelligence Committee Effectiveness,” Center for a New American Security, August 5, 2019, https://www.cnas.org/publications/reports/enhancing-congressional-intelligence-committee-effectiveness.
  44. A critical element of coordination is, as noted earlier, defining what falls under the scope of the term “cybersecurity.” While a robust treatment of that question is outside the scope of this paper’s recommendations, the authors do encourage the Congress to consider our earlier proposed general framing of the scope of items that fall within “cybersecurity.” See Part I; Kosseff, “Defining Cybersecurity Law”; and Bambauer, “Privacy vs. Security.”
  45. A bill was introduced in 2017 by Senators Cory Gardner and Chris Coons similar to that proposed here. U.S. Senate, Resolution Establishing the Select Committee on Cybersecurity, S. Res. 23, 115th Cong., 1st Sess., https://www.congress.gov/115/bills/sres23/BILLS-115sres23is.pdf.
  46. Historical examples of joint committees on issues of preeminent national security importance include the Joint Committee on Atomic Energy and the Joint Inquiry into Intelligence Community Activities before and after the Terrorist Attacks of September 11, 2001.
  47. It may be worth considering linking this timing to the work of the Cyberspace Solarium Commission. While it is likely the commission will issue its report several months before the 117th Congress is seated, the report’s stated goals of being “forward looking and prescriptive” may provide recommendations with useful timing markers the 117th Congress could engage. See Sen. King & Rep. Gallagher, “Announcing the Cyberspace Solarium Commission.”
  48. House Select Committee on the Modernization of Congress website, https://modernizecongress.house.gov/about/history. There is also a House Select Committee on Climate, but that committee has an unequal number of members from the majority and minority, a factor that contributes to partisanship. See Carrie Cordero, “Enhancing Congressional Intelligence Committee Effectiveness,” Center for a New American Security, August 5, 2019, https://www.cnas.org/publications/reports/enhancing-congressional-intelligence-committee-effectiveness (for recommendations to the Intelligence Committee to improve bipartisanship).
  49. Public Law 115-232, Section 1639.

Authors

  • Carrie Cordero

    Robert M. Gates Senior Fellow

    Carrie Cordero is the Robert M. Gates Senior Fellow and General Counsel at the Center for a New American Security. She is also an adjunct professor of law at Georgetown Univer...

  • David Thaw

    University of Pittsburgh

    David Thaw is a professor at the University of Pittsburgh and holds appointments in the School of Law and the School of Computing and Information. He is also an Affiliated Fel...

  • Reports
    • April 2, 2019
    Intelligence Oversight Priorities for the 116th Congress

    Introduction Congressional oversight is essential for providing accountability for the activities of the intelligence services.1 Effective oversight by the congressional intel...

    By Carrie Cordero

  • Reports
    • August 5, 2019
    Enhancing Congressional Intelligence Committee Effectiveness

    In a new working paper, Carrie Cordero provides a fresh assessment regarding whether the intelligence committees in Congress need significant structural reforms, assesses whic...

    By Carrie Cordero

  • Commentary
    • April 24, 2019
    The National Security Imperative of Protecting User Data

    Privacy legislation directed at 21st-century technology platforms and internet companies is not just about privacy; it is also important to address modern-day national securit...

    By Carrie Cordero

  • Commentary
    • Council on Foreign Relations
    • February 12, 2020
    The Dangers of Manipulated Media in the Midst of a Crisis

    In the immediate aftermath of the U.S. drone strike that killed Iranian General Qasem Soleimani, the internet was flooded with purportedly real-time information about the circ...

    By Megan Lamberth

View All Reports View All Articles & Multimedia