In the United States, cyberattacks have shut down hospitals in a matter of seconds, allowed the Russians to ransack federal agencies’ data, and nearly poisoned thousands through contaminated water. And that is just the past few months. Cyberattacks of known and unknown origin were responsible for these incidents, and Congress understands that it must provide federal agencies with resources to defend the nation against these attacks and to create policies that strengthen cooperation with local, private, and international partners. But if the past is precedent, Congress will pass limited cybersecurity bills and rely on the annual National Defense Authorization Act (NDAA) as the legislative vehicle for shepherding through important cybersecurity provisions.
But is there a downside to using a defense bill as the primary vehicle to overcome a multi-prong challenge that touches not only on national security issues but criminal justice, workforce development, private-sector collaboration, and privacy issues? If congressional committees continue to cede jurisdiction to the Armed Services committees, the primary committee responsible for drafting the NDAA but not for domestic law enforcement and homeland security, then Congress should consider whether it makes sense to create a “cyber-omnibus” bill that allows them to take a more holistic approach to cybersecurity.
The velocity and variety of cyberattacks hitting the United States underscore the need for comprehensive action. The FBI received nearly 2,500 reports of ransomware in 2020 — malware that malicious cyber actors use to lock up data and computers and hold them hostage until a ransom is paid — costing $29 million and impacting over 400 K-12 institutions and at least 80 hospitals. Russian and Chinese state actors are presumed to be behind one of the largest cyber-espionage attacks in history (the SolarWinds hack) and exploited a Microsoft vulnerability that impacted tens of thousands of customers. And more alarmingly, an unknown actor hacked a Florida water treatment facility, changed the chemical levels, and nearly poisoned an entire community.
Congress understands the multifaceted nature of cybersecurity, which is why they introduced over 300 cyber-related bills in the last congressional session that spanned a wide range of issues. While fewer than 20 became law, members of Congress attached 45 cybersecurity bills into these laws, with 32 of those bills incorporated in the 2020 and 2021 NDAAs. However, this only tells a fraction of the story. Congress used those two NDAAs to include over 150 cyber provisions that were never previously introduced as stand-alone legislation.
In fact, the past five NDAAs (fiscal years 2017-2021) contained nearly 300 cybersecurity provisions, with the past two accounting for 60 percent of all those provisions. The majority of NDAA cybersecurity provisions dealt with how the Department of Defense (DoD) carries out offensive cyber missions, protects its assets from cyber threats, and bolsters its cyber workforce. Starting in 2020, however, Congress began expanding the NDAA’s scope to cover cybersecurity issues that traditionally fell outside of DoD’s cyber mission, such as securing elections systems, private critical infrastructure, and the supply chain for information and communication technologies. As a result, the 2021 NDAA had almost four times as many cyber-related provisions as the 2017 NDAA.
While these provisions are small in number, they have significant domestic policy implications. For example, the 2021 NDAA created the groundwork for a 21st-century industrial policy by establishing a trust fund within the Treasury Department to provide grants to companies to promote and deploy 5G technology, among other things. It also empowered the Department of Homeland Security to place cybersecurity coordinators in each state, issue subpoenas to internet-service providers to warn their customers that they may have a cyber vulnerability that could be exploited, and collaborate with private partners to disrupt cyber infrastructure that cyber actors use to launch attacks.
To be clear, these provisions are needed. The fact that Congress sent fewer than 20 cybersecurity bills — two of which were NDAA bills — to the Oval Office in the last congressional session highlights the need at present to rely on the NDAA in passing critical cybersecurity law. Yet, Congress is constrained in what it can include in the NDAA, which limits the tools in our cyber toolbox. Further, the authorities and resources awarded to DoD’s cyber mission far outpace those provided to civilian agencies responsible for partnering with state, local, private, and international partners. DoD’s cyber-related budget is “nearly 25 percent higher than the total going to all civilian departments, including the departments of Homeland Security, Treasury, and Energy.” Further, some of the provisions included in the NDAA are unfunded mandates. Congress, for example, did not appropriate funds to implement the industrial policy it inked in the 2021 NDAA.
To take a more holistic approach to U.S. cybersecurity that creates authorities and provides resources to the 20-plus federal agencies with cybersecurity missions, Congress should consider the potential benefits of creating a cyber-omnibus bill. Such a bill would allow Congress to enumerate and resource a cyber bureau within the State Department, de-conflict its mission with DoD, and provide resources to FBI attaches to support overseas cybercrime efforts. It would also allow for a whole-of-society approach to prepare for and respond to cyber incidents at home by providing resources to federal and local agencies. This would then lessen the burden placed on DoD assets, such as National Guard Units that assist governors in domestic cyber incident response. Lastly, it will allow Congress to expand and resource an industrial policy that is not solely premised on national security but one of economic and societal innovation, too.
To be sure, the NDAA could achieve these aims and be a valuable means to pass cybersecurity legislation. But Congress should consider the limitations of solely relying on a defense-based bill for the vast majority of our nation’s cybersecurity legislation and what that means for federal partnerships with states, allies, and private companies. A cyber-omnibus bill would allow Congress to pass a wide range of cybersecurity provisions with adequate resources provided to all agencies so that they can better defend the United States against the relentless cyber onslaught.
Michael Garcia is a Senior Policy Advisor in the National Security Program at Third Way, a center-left think tank.