Lawmakers move to boost federal cybersecurity in annual defense bill

Sen. Ron Johnson (R-Wis.) said Wednesday that he was pushing for inclusion of measures meant to defend the United States against cyber threats in the upcoming annual National Defense Authorization Act (NDAA). 

Johnson, the chairman of the Senate Homeland Security and Governmental Affairs Committee, said during a virtual committee hearing on cyber threats that he hoped to include a provision creating a federal national cybersecurity leadership position in the NDAA. 

“We are working hard to get included in the NDAA so it can become law, there is the need to put someone in charge, a national cyber director,” Johnson said.

There is currently no central federal leader for cybersecurity. The departments of Defense and Homeland Security (DHS), along with the intelligence community and the FBI, address cyber threats, but the Trump administration has lacked a central lead since the White House cybersecurity coordinator position was eliminated in 2018. 

Johnson also voiced his support for including a provision that would give DHS’s Cybersecurity and Infrastructure Security Agency (CISA) the ability to subpoena internet service providers for information on vulnerabilities detected critical infrastructure networks. A House committee approved a bill around this issue in January. 

“It’s a very necessary authority that CISA needs, and I am going to ask everybody on our committee to do everything, by hook or by crook, to hopefully get into the NDAA as well,” Johnson said. 

Both recommendations were backed by the Cybersecurity Solarium Commission (CSC), a group created by Congress in 2018 to evaluate the cyber risks to the United States. The group, which includes members of Congress and federal agency leaders, was charged with laying out recommendations on how to defend the nation against these threats. 

The CSC submitted its report, which included over 75 recommendations on how to prevent a cyber doomsday scenario, in March as the coronavirus pandemic began to sweep the world. 

Sen. Angus King (I-Maine), a co-chair of the commission, testified Wednesday that cyber threats were only “magnified” by COVID-19, as attempted hacks on healthcare and research groups involved in fighting the virus have spiked.

“We have to communicate that to our colleagues, that this isn’t something academic, this is coming at us, this isn’t something that may come at us, it’s coming at today,” King said, adding that the private sector is “being pinged millions of times a day by malicious actors.”

The Senate Armed Services Committee was due to examine the CSC’s recommendations at a hearing in March, but the hearing was postponed due to the virus. Johnson said that Sen. Mike Rounds (R-S.D.), the chairman of the committee’s cyber panel, is “leading the charge” to get recommendations from the CSC included in the 2021 NDAA.

The NDAA, a sweeping annual bill that allocates funding for the Department of Defense, originates in the House and Senate Armed Services Committees. Consideration of the bill has been delayed by the coronavirus pandemic. 

Rep. Mike Gallagher (R-Wis.), the co-chair of the CSC, said he was working with commission member Rep. Jim Langevin (D-R.I.) in the House to gather support for the cybersecurity measures. 

“As for the prospects in the House, I can’t give you a good assessment right now, but we are working with the committees,” Gallagher testified to the Senate Homeland Security panel. 

Multiple Senate committees have focused on cyber threats to the U.S. this week. 

Commerce Committee Chairman Roger Wicker (R-Miss.) and committee members Jacky Rosen (D-Nev.) and Cory Gardner (R-Colo.) introduced legislation on Wednesday to boost cybersecurity research and innovation.

Senate Energy and Natural Resources Committee Chairwoman Lisa Murkowski (R-Alaska), along with Sen. James Risch (R-Idaho), introduced a separate bill this week to help grid operators boost cybersecurity and protect critical information against attacks. 

King underlined the consequences if Congress fails to take action to protect the nation against cyberattacks, saying an attack with widespread negative consequences was “going to happen.”

“We are seeing the longest wind up for a punch in the history of the world, but that punch is going to come,” King said.