Policy

How the cyber agenda would shift if the GOP takes over Congress

This Feb 23, 2019, file photo shows the inside of a computer in Jersey City, N.J. (AP Photo/Jenny Kane)

As one of the few bipartisan issues in Congress, cybersecurity is expected to continue to garner support from both political parties no matter the final outcome of this week’s midterm elections. But experts predict that if the GOP takes control of Congress, empowered Republican lawmakers could push back against government regulation in the industry.

Over the past year, lawmakers have introduced and passed several bipartisan cybersecurity bills, with many focused on protecting critical infrastructure, including in the health and energy sectors

Experts said regardless of which party is in control of Congress next year, lawmakers from both sides of the aisle will continue to collaborate and take actions on cybersecurity issues.

“Cybersecurity is a priority for the nation and it’s a bipartisan issue,” said Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School.

“I think everyone wants the country to be well-protected in the cyber domain,” he added. 


However, Jaffer warned that if Republicans win majorities in the House or Senate, they will likely push for less government regulation and instead advocate for market incentives designed to encourage the private sector to invest in cybersecurity. 

He noted that although Republicans are not against all government regulation, they would rather it be implemented only when necessary.

“I think generally the Republican perspective is that less government is better, and that the government may not be as effective in figuring out what the right thing to do is [in certain cases],” Jaffer said, adding that “a Republican Congress is likely to look at what incentives the private industry needs to do a better job [at protecting critical sectors].”

Jaffer also said it is likely that Republicans will conduct oversight over what the government does to make sure it’s not overstepping its authority as it enforces various cyber policies. 

The comments come as ballots are still being counted in key races days after the midterm elections. The GOP appears poised to secure a narrow majority in the House, while control of the Senate is more uncertain — and may come down to a December runoff in Georgia.

Republicans have previously advocated for cyber policies in line with Jaffer’s predictions. Last year, Rep. John Katko (R-N.Y.), the ranking member of the House Homeland Security committee, said that the government needed to slow down the way it regulates cybersecurity and prioritize understanding what the industry needs first.

“Sometimes we put the cart before the horse when we’re talking about implementing regulations at the same time we’re setting up the process for figuring out what the needs are,” Katko told The Washington Post during an interview

In the interview, Kakto raised concerns about cyber regulations that the Transportation Security Administration (TSA) imposed last year on pipeline operators following the Colonial Pipeline ransomware attack.

“I definitely appreciate that TSA is attempting to take the cyber threat head on, but we’ve got to do it with careful input from industry stakeholders before any more directives are implemented,” Kakto said. 

His Republican colleagues on the Senate side also warned against the TSA requirements on the pipeline sector, calling them “unnecessarily burdensome” and saying they “shift resources away from responding to cyberattacks to regulatory compliance,” The Washington Post reported.

Cyber industry leaders have expressed the same concerns to lawmakers.

In April, cyber executives testifying before the House Homeland Security Committee warned against government overreach when defending the private sector against Russian threats. 

Amit Yoran, chairman and CEO of cybersecurity firm Tenable, said the federal government should be less of a regulator and more of a partner for critical infrastructure as both the public and private sectors respond to cyber threats. 

“I don’t think the U.S. government should be in the cyber defense role where they’re defending critical networks and critical infrastructure where they might not understand the changes that they might make, and how those might impact critical infrastructure,” Yoran said. 

“It’s incumbent upon those operators [working in those critical sectors], who understand how the systems operate, to defend those networks with help from intelligence and information from their government partners,” he added. 

Yoran and other cyber executives invited to testify at the hearing said the government’s focus should remain on guidance and information sharing, rather than regulation. 

Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center, said that Republicans are trying not to be overburdensome to industries by imposing all sorts of requirements that they have to meet.

She noted that there’s always been a debate between the two parties about whether the country should be pro-big government or pro-industry.

She argued, however, that that narrative should be reframed, as it is “old” and “unproductive.” Instead, she said both the government and industries in the private sector should work together to best prepare and secure the country from cyber threats. 

“This is a public health and a public safety issue,” she said, adding that in her view “the market approach at this point has not yielded better security.”

Zabierek added that government regulation in cybersecurity is likely going to be a point of contention if Republicans take over Congress, but said she hopes it remains a bipartisan issue.