2020 Election and 117th Congress

While the results are not technically official, the great 2020 election count is essentially over. Baring something strange (and this is 2020), 2021 will see a Biden Administration take office. The House will still be in control of the Democrats and the Senate will (probably) remain in the nominal control of the Republicans. So, what does this all mean for control system security legislation and chemical security legislation in the 117^th Congress?

The Trump Effect

While Trump lost the election, one thing is clear, he has lots of support in the hinterlands of this country. Republican politicians are going to have to acknowledge their anti-government and anti-liberal outlook as they look forward to the 2022 election cycle. How much those congresscritters are going to be willing to work with the Biden Administration will depend in a large amount on Donald Trump. If Trump continues to defy political traditions and maintains an active commentary on political matters, then the Republicans in Congress will have a harder time justifying to their base any cooperation on bipartisan legislation. If Trump folds up his tent and returns to his previous business interests, then moderate, bipartisan legislation will have some chance for success.

Spending

Any legislation, security and otherwise, that calls for significant new spending is going to run into strong opposition in the fiscal conservative faction of the Republican Caucus in the Senate. McConnel had to have their support in the 116^th Congress to keep the Caucus together. If the Trump Effect disappears, McConnel will have more leeway to work with the Democrats. Large spending programs are still going to face serious opposition.

Cybersecurity

With no major cybersecurity attacks on the election system in 2020, there is going to be a lesser demand in Congress to pass major cybersecurity legislation. Republican opposition to government mandates on businesses will continue to insure that any cybersecurity legislation will only call for voluntary compliance with any cybersecurity standards and processes established by legislation. Cybersecurity in industrial control systems will continue to be a low priority area of legislation, unless, of course, there is a significant attack on an industrial system that leads to loss of life, major physical destruction or the shutdown of major services. An attack of that sort would lead to a knee jerk reaction in any Congress that could result in significant (and probably ineffective) mandatory controls being placed on industrial control systems.

One area that will see continued support in Congress will be development of a ‘Cyber Sense’ program in DOE similar to that seen in this session’s HR 360 that was passed in the House. This sort of cybersecurity certification program for industrial control system components used in the grid infrastructure will look like an effective way to ensure security of the grid. What will be overlooked is that the replacement of ‘insecure’ components with cybersecurity certified devices will take years to accomplish if it is actually attempted, something that is far from certain without a specific (and well-funded) mandate. Further, the unfortunate information sharing limitations are sure to have the unintended consequence of impeding researchers from finding new vulnerabilities in these systems.

Additional programs could be seen to be called for in medical device security and automated transportation systems. A cyber sense program for automated transportation systems could probably be the most effective since there is not currently a large installed-device inventory that would have to be replaced. Unfortunately, the most appropriate agency to be tasked with overseeing such a program, the National Highway Transportation Safety Administration (NHTSA) does not have a cybersecurity infrastructure to call upon to oversee such a program. Adding that capability would call for a significant increase in NHTSA funding.

Ransomware

Ransomware is going to continue to be a long-term, high-profile problem going forward that may see a legislative program that actually contains some sort of mandatory provisions. Unfortunately, the prevention of these attacks will not be effective as long as the potential for making money in successful attacks remains so high. Well-funded attackers are going to be able to find ways to subvert security controls. Federal rules will be most effective in mandating reporting requirements, though there will be increasing calls for the prohibition of paying the ransoms. There will also be suggestions that the military, particularly the National Guard cyber units, be given authority to take down ransomware networks that attack State, local, Tribal and Territorial government agencies. How far legislative provision go will depend in large part in how effective ransomware attacks remain.

Chemical Security

When Congress extended the authorization for the Chemical Facility Anti-Terrorism Standards (CFATS) program this year it was for three years. That means that there will not be a major push to make changes to that program in the 117^th Congress. Even if there were a need to reauthorize the program, it is unlikely that the 2020 election would have had any significant change in the ability of the 117^th Congress to agree to what sort of changes are required in the program. The House Democrats could not agree on legislative language for a reauthorization bill in the 116^th Congress, this has been a continuing problem with the differences in outlook between the Homeland Security Committee and the Energy and Commerce Committee.

One area that may see some legislative movement is a relook at the mandate for an Ammonium Nitrate Security Program. Congress passed a mandate for DHS to establish a program to regulate the sale and transfer of ammonium nitrate (a ‘popular’ precursor for large improvised explosive devices). Unfortunately, DHS has been unable to come up with a cost-effective method of implementing that mandate. DHS has quietly suggested that Congress relook at the mandate, removing the costly registration requirements and extending the coverage to other precursor chemicals. The Biden Administration may be more vocal in supporting such a change and we could see some congressional hearings on the topic in the 117^th Congress. I would be surprised to see any such regulation passed in this session. Unless, of course, if there is a large IED detonated successfully in the United States, then I would expect to see quick, over-reactive legislation calling for an expansion of the current mandate.