A lofty but critical cybersecurity dream that must turn into reality
In its current form, committees with differing agendas wrangle for jurisdiction and block passage of cybersecurity legislation. Rather than rely on experts on centralized authority—because many are loath to give up any power whatsoever, even for the greater good—the broken review process hampers our national security by preventing the passage of any major cybersecurity legislation. And every year Congress does not treat cybersecurity policy with the same intensity as they do health care, taxes or the economy, our enemies find new weaknesses to exploit, intellectual property to steal or innovate while we lag behind.
And before we say that no member of Congress would voluntarily give up Committee jurisdiction, take into consideration that one of the most powerful cybersecurity chairmen on the House sidem Representative Jim Langevin, offered to do just that in the name of improved cybersecurity. But he is not the only one on Capitol Hill to think this is smart policy. Among the recommendations of the bipartisan Cyberspace Solarium Commission, which outlined major reforms to U.S. cybersecurity strategy last year, was the creation of a House Permanent Select and Senate Select Committee on cybersecurity to “consolidate budgetary and legislative jurisdiction over cybersecurity issues, as well as traditional oversight authority.”
The new committees would be structured in a bipartisan manner, a la the Select and Permanent Committees on Intelligence, and focus on expertise of members. This committee structure is specifically designed to encourage cross-committee and bipartisan collaboration that is often necessary for long-lasting, strong policy. The committees would hold hearings, subpoena witnesses, consider and promulgate legislation, and oversee national cyber strategy development and implementation.
While congressional committee structure is a wonky, low-visibility issue, it has real consequences for U.S. national security. Most recently, the dispersed nature of oversight on cybersecurity assuredly contributed to the intelligence and defensive failure that led to the SolarWinds hack. If we are serious, this time, about fixing our cybersecurity issues, the organization of Congress should be on the top of our collective priority lists. The largest technology companies like Microsoft have called for more leadership and a “global cybersecurity response” to threats. Now is the time.
Reorganizing the cybersecurity committee structure comes with significant benefits. First, improved oversight. The intelligence community went through a similar reorganization in the 1970’s when weak oversight by Congress was found to have contributed to abuses of power in the intelligence community. Similarly, we’ve seen what happens when we as a nation do not prioritize cybersecurity and coordinate oversight (SolarWinds, attacks on COVID-19 vaccine research). We know the harm that can come to even the largest and best-protected organizations like Merck and the National Nuclear Security Administration when cybersecurity practices and budgets are not reviewed by Congress.
Second, an improved committee structure in the House and Senate could also enhance cybersecurity planning, implementation and strategy. As the Commission argued, a comprehensive national cybersecurity strategy is the fundamental building block upon which all other cybersecurity efforts must rest. If committees review only their own jurisdictional efforts on cybersecurity, we will continue to see disparate and disjointed progress. Likewise, we need staff who are trained and laser-focused on developing cybersecurity expertise to help us create a whole-of-nation strategy on cybersecurity.
The Select committee and permanent committees on cybersecurity are the only way to accomplish that aim. It is difficult to reorganize and change rules in Congress, but if you’re going to have a bipartisan discussion on how to make things work, fix cybersecurity, too, before it is too late.
Image credit: deepadesigns
