Can a Bipartisan Effort Advance U.S. Cybersecurity Policy?
In the latest act of bipartisan agreement, Congress passed and the president signed the State and Local Government Cybersecurity Act of 2021 (S.2520) and the Federal Rotational Cyber Workforce Program Act of 2021 (S.1097) into law on June 21, 2022. While Congress continues to make progress with bills, they form part of the larger cyber policy current—the effects of which could affect U.S. cybersecurity for the next decade.
These cyber laws provide the strongest measures yet for state and local cybersecurity and the cyber workforce, arguably the most undervalued cyber disciplines. Combined with recently passed rules requiring critical infrastructure entities to report cyber incidents and any ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA), this is the biggest step toward a strengthened cybersecurity posture in the past year. The state and local government coordination law requires CISA to coordinate with, and provide tools to, state and local cyber entities. The second bill creates a rotational program for cybersecurity practitioners throughout the federal government and creates a requirement for open rotational opportunities to be listed and announced publicly.
The implications of these new laws are wide-ranging. Workforce and state and local government cybersecurity are often overlooked in cybersecurity policy and tend to operate on limited resources with little focus from policymakers. The first law will provide a significant boost to the smaller government organizations working to defend large swaths of U.S. government infrastructure. Coordination and sharing of tools—and creating tools that fit the state or local governments—has been challenging, and the $1 billion in funds appropriated last year, as well as these tools, will allow funding for personnel to create relationships with regional CISA offices, post more personnel to cyber missions within the states, and help CISA create small-entity toolkits which have proven so effective for small businesses.
With S. 1097, the implementation of a rotational program addresses two other critical barriers to cybersecurity workforce retention and development. Utilizing a technique often employed by the intelligence community, rotational opportunities incentivize workers to stay within the federal government because they not only provide a pathway for new career opportunities but also support skills development. This bill will also help improve skills in both the receiving and transferring organizations, which is desperately needed as federal agencies struggle to find cybersecurity talent to fill roles in policy, incident response, and vulnerability management. Training existing employees is much faster, easier, and cheaper than identifying new talent and bringing them in through the much delayed and convoluted hiring process of the federal government.
These two facets are key to bolstering the U.S. cybersecurity posture. Over the next several months, however, there are two even more important processes that will determine the direction of cybersecurity policy: the consideration and passage of the National Defense Authorization Act (NDAA), and the drafting and release of the National Cyber Strategy.
On the congressional side, the NDAA has recently been a useful vehicle to pass cybersecurity legislation, and this year should be no different. Rep. Jim Langevin (D-R.I.) is attempting to use his last year in the House to pass five outstanding provisions, all first recommended by the Cyberspace Solarium Commission, through the NDAA. These provisions—including codifying Systemically Important Critical Infrastructure (SICI) entities, enshrining coordination and information sharing between the government and these critical entities, establishing the Bureau of Cyber Statistics, passing the Cyber Diplomacy Act, and creating critical technology centers—are all desperately needed updates to the cybersecurity ecosystem. With the work of the Senate Armed Services Committee and the House Armed Services Committee, Congress has a once-in-a-generation opportunity to implement a transformational change in cybersecurity.
On the executive side, as the Office of the National Cyber Director (ONCD) coordinates the drafting of the National Cyber Strategy, they will lay out the path and set a new vision for an open, free and secure internet ecosystem. A cohesive vision that inspires action to secure our ecosystem from both private and public sectors while bridging gaps with allies and motivating new partners to come on board is not an easy task. The best strategy would coherently weave together existing ideas and clarify ONCD’s stance on strategies such as those laid out by the Cyberspace Solarium Commission, the Department of Defense, and Cyber Command while addressing all the loose tendrils of policy often left behind in strategy documents such as workforce, disinformation, and emerging technology in a real way. More importantly, it is critical that this strategy not stir hostility from adversaries and steer away from intensifying the ongoing polarization of the internet.
What happens in these two processes could very well determine the path of cybersecurity policy for the next ten years. In this almost last policy area of bipartisan agreement, let’s all hope that the NDAA process and the drafting of the National Cyber Strategy can continue to stand up robust cyber policy for years to come.