What’s in store for cybersecurity in Congress’s stretch run


Welcome to The Cybersecurity 202! I’m already encountering far too much Christmas music. For me, the ideal amount is zero.

Below: The European Union advances cybersecurity rules for banks, and a European regulator fines Facebook parent Meta after an investigation into “scraping.” First:

There could be some cyber hits and misses during Congress’s lame-duck session

Congress has an ambitious agenda as it returns this week for a lame-duck session finishing up the year. Amid the last-minute maneuvering, lawmakers are trying to get cybersecurity proposals across the finish line.

Much of the cyber legislation could hitch a ride on the annual must-pass defense policy bill, which Congress has successfully delivered to the president for a signature for the past 61 years. But with House control set to switch from Democrats to Republicans, Kevin McCarthy (R-Calif.), who will likely be the next speaker, is pushing for a delay of the fiscal 2023 defense measure.

That makes it more difficult to predict with any certainty whether key cyber provisions will get done this year (as if it was ever easy to anticipate what Congress might do). As such, we’ll break this down in Magic 8 Ball terms — how likely legislation is to pass, and why.

Cyber legislation is often bipartisan and not as controversial as other legislation. But in recent years, the debate over regulation has sidelined some bills that proponents see as critical for boosting cybersecurity.

Reporting draws on interviews with Hill aides and outside experts and advocates, most of whom spoke on the condition of anonymity to discuss ongoing deliberations.

State Department cyber bureau. Bipartisan legislation would effectively codify into law the State Department’s Bureau of Cyberspace and Digital Policy. The argument for doing that: State’s cyber office has evolved repeatedly from administration to administration, and making it permanent would stabilize the department’s cyber work. This is one of several pending proposals favored by the congressionally established Cyberspace Solarium Commission that could see action in the lame-duck session.

Cybersecurity and Infrastructure Security Agency term. Another bipartisan effort would set the base tenure of CISA’s director at five years. It’s a bid to ensure that the office remains nonpartisan by stretching the years across more than one presidential term. 

Federal agency cloud security. Noncontroversial legislation that would overhaul the program that gives cybersecurity certification to federal cloud providers could be one of the few bills on this list that could get a stand-alone vote in the Senate, Nihal Krishan reported for FedScoop.

Spyware safeguards. The Office of the Director of National Intelligence could bar spyware makers from receiving spy agency contracts under the fiscal 2023 intelligence authorization bill. It’s another bipartisan proposal, one that lawmakers also hoped to fold into the annual defense measure.

  • But House Intelligence Committee member Jim Himes (D-Conn.) said recently that the spyware language has encountered friction over congressional turf matters, making the prospects of its inclusion in that defense bill murky.

Federal cyber oversight. Legislation to update a 2014 law governing federal agency cybersecurity doesn’t have a clear path to passage at the moment. It got left out of last year’s defense policy bill, despite not being particularly divisive, as lawmakers hustled to reach a final deal on the overarching legislation.

  • The Senate Homeland Security and Governmental Affairs Committee advanced this bill and the federal agency cloud security legislation as stand-alone bills. A committee aide told me both measures “are critical and we must continue working to get them over the finish line.”

Chinese chip ban. Senate Majority Leader Chuck Schumer (D-N.Y.) and Sen. John Cornyn (R-Tex.) are lobbying colleagues to embrace a defense policy bill amendment that would ban the U.S. government from doing business with Chinese chipmakers who the Pentagon considers military contractors, Politico’s Alex Ward reported. Industry groups joined forces to fight the amendment, saying it would be hard for businesses to comply, among other objections.

  • Often, when massive industry coalitions pressure Congress, they get their way. But when two of the most senior leaders of their parties in the Senate join forces, they often get their way, too. That dynamic renders this proposal’s fate particularly uncertain.

Protection of the most “systemically important entities.” The idea is to determine which critical infrastructure is most vital, then prioritizing its protection with a mix of “benefits” and “burdens.” The proposal got further this year than it has in the past. Then a coalition of industry groups came out especially strongly against it, saying no concessions from its congressional authors could suffice.

Software ingredient list. Multiple industry coalitions piled on against provisions in the House version of the defense authorization bill that would require Defense Department contractors to deliver a “bill of materials” to the Pentagon, listing software components.

  • Industry groups feared that the “systemically important entities” and “software bill of materials” provisions overlapped with, duplicated and complicated existing executive branch work on those topics. “What we’ve been trying to get at is, we’ve been advocating for policy, legislative and regulatory harmonization, not only on ‘software bill of materials’ but other cybersecurity issues,” Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce, told me.

Public-private information sharing. Both the House and Senate versions of the defense authorization bill included language creating a “Joint Collaborative Environment” — a program to foster threat information sharing between government and industry. Last year, lawmakers excluded the language from a deal on the fiscal 2022 bill, with the Trump administration threatening a veto over what they considered a threat to intelligence agencies protecting their “sources and methods.”

  • While inclusion in both chambers’ version of the bill would seem to have given it a solid chance of becoming law, the National Security Agency recently began objecting to the bill language, Politico reported. The NSA cited it as a potential impediment to existing information-sharing programs, according to the news outlet.
  • That presents a challenge for the legislation, which may still live on through a snippet like a mandated future study on the proposal.
  • “I am deeply disappointed by those who have decided to raise last-minute and misguided objections to the establishment of a Joint Collaborative Environment in this year’s NDAA,” Rep. Jim Langevin (D-R.I.), who chairs the House Armed Services Committee’s cyber panel, said in an emailed message to me. “Despite the efforts of these opponents, I am confident that language will be included in the final bill text to advance the establishment of the JCE in future Congresses.” Langevin, the co-founder of the Congressional Cybersecurity Caucus, is retiring in January.

European Union advances cyberresilience rules for banks

The Digital Operational Resilience Act will apply to banks and “critical” third-party IT firms like cloud-computing providers, Reuters’s Huw Jones reports. It would make the companies ensure that they’re able to hold out against cyberattacks and respond to them.

“Regulators worry about the speed and scale at which banks, insurers and investment firms are moving critical functions and market operations onto a handful of cloud platforms,” Jones writes. “A glitch at one cloud company could potentially bring down services across many financial firms, regulators have said.”

The European Council’s adoption of the rules were the “final step” of the legislative process, it said. European countries themselves have to pass some parts into law, and regulators — which will enforce the rules — “will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management,” the council said.

Irish regulator fines Meta $277 million after scraping investigation

Ireland’s Data Protection Commission said Facebook parent Meta violated parts of Europe’s General Data Protection Regulation (DPC), the Associated Press’s Kelvin Chan reports. The regulator opened an investigation after reports last year about a trove of data from Facebook accounts were found online. Meta said the data was obtained after someone “scraped” Facebook using its tools for finding friends by importing contacts or phone numbers.

Meta told the AP that it fully cooperated with the DPC and is “still reviewing this decision carefully.” The company also said that it “made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.” It added that “unauthorized data scraping is unacceptable and against our rules.”

Could Vanuatu’s ‘activities on the world stage’ have made it the target of a month-long cyber attack? (Australian Broadcasting Corporation)

Pegasus spyware inquiry targeted by disinformation campaign, say experts (The Guardian)

Israel Police, FBI officials call for more aggressive crime tech laws (Jerusalem Post)

How a cyberattack plunged a Long Island county into the 1990s (New York Times)

JPMorgan, other banks in talks to reimburse scammed Zelle customers (Wall Street Journal)

Cyberinsurers turn attention to catastrophic hacks (Wall Street Journal)

  • Deputy national security adviser Anne Neuberger, Maryland Gov. Larry Hogan (R), National Institute of Standards and Technology Director Laurie Locascio and other officials speak at the Quantum World Congress in Washington on Wednesday and Thursday.
  • National Cyber Director Chris Inglis, CISA executive director Brandon Wales and Neuberger speak at a meeting of the National Security Telecommunications Advisory Committee on Thursday at 3:30 p.m.

Thanks for reading. See you tomorrow.