Wednesday, December 21, 2016

114th Congress Cybersecurity Legislation

With less than two weeks left until the 114th Congress ends on January 3rd, 2017 it is a good time to look at the record of this session of Congress to see how much work was accomplished in the legislative arena on cybersecurity issues. While I would like to be able to focus just on control system security issues, there were very few bills that focused on, or even mentioned, that topic. So for this post I will focus on general cybersecurity issues while ignoring strictly breach notification bills and cybersecurity bills that focused on government IT issues.


Members of the House introduced 38 bills that addressed cybersecurity issues and passed 17 of those bills. Sixteen of those bills did not make it to consideration in the Senate. Those sixteen bills were:

HR 3586 - Border and Maritime Coordination Improvement Act – Includes cybersecurity;
HR 4909 - National Defense Authorization Act for Fiscal Year 2017 – Includes cybersecurity;
HR 5293 - Department of Defense Appropriations Act, 2017 – Includes cybersecurity;
HR 5388 - Support for Rapid Innovation Act of 2016 – Includes cybersecurity;
HR 5389 - Leveraging Emerging Technologies Act of 2016 – Includes cybersecurity;
HR 6393 - Intelligence Authorization Act for Fiscal Year 2017 – Includes cybersecurity;

Note that six of those sixteen bills were not principally cybersecurity bills, but did include significant cybersecurity provisions. This was the first session of congress to include cybersecurity measures in other bills (excluding authorization and appropriations bills).

The one House bill with cybersecurity provisions that did make it to the President’s desk was HR 2029. That was the Consolidated Appropriations Act of 2016 (PL 114-113) and it included the Cybersecurity Act of 2015. This was the long awaited information sharing bill that Congress had been trying to pass for the last six years in one form or another.


With less than a quarter of the members of the House the Senate still introduced 22 cybersecurity related bills in the 114th Congress. Only two of those bills passed and one (FY 2016 NDAA –  PL 114-92) made it to the President’s desk for signature.

S 1356 - National Defense Authorization Act for Fiscal Year 2016 – Includes cybersecurity;

It should be noted that portions of S 754 made it into the Cybersecurity Act of 2015 as did portions of HR 234, the Cyber Intelligence Sharing and Protection Act, which saw no formal action in the House.

115th Congress

With the amount of press coverage of cybersecurity issues in the recent presidential election (not so much in the realm of policy discussions from the campaigns) it is easy to guess that cybersecurity will remain a topic of concern in the 115th Congress. It is hard to imagine that the Republican controlled Congress will do much to require the regulation of cybersecurity in the private sector, but I do suspect that we will see continued interest in information sharing from federal agencies to the private sector.

There will be continued discussion in the military and intelligence appropriations and authorization bills about the role of cyber retaliation for attacks on Federal agencies and major societal institutions.

The big unknown for those of us that watch the Congress is trying to predict what type of cyber incident will produce a knee-jerk reaction from the politicians on the order of a cyber patriot act. A control system incident that results in death or major infrastructure damage is very likely to inspire that type of political over-reaction, especially if it is linked to a foreign government or terrorist organization. Whether or not a lesser incident will produce a similar response remains to be seen.

No comments:

/* Use this with templates/template-twocol.html */