Where cybersecurity legislation ‘goes to die’ in Congress

0
71
Where cybersecurity legislation ‘goes to die’ in Congress




Wisconsin Sen. Ron Johnson | Getty Images

Sen. Ron Johnson’s aides say inaction on cyber bills doesn’t necessarily mean the senator is working to derail those measures. | Drew Angerer/Getty Images

Wisconsin Republican Sen. Ron Johnson leads the committee with broad oversight over the nation’s most important cybersecurity issues, including protecting consumers and U.S. elections from hackers.

But he’s also a major reason little legislation on these topics ever passes, according to lobbyists, cybersecurity policy experts, lawmakers and congressional aides from both parties who spoke with POLITICO.

Story Continued Below

Johnson or members of his staff have derailed many of the most significant cybersecurity-related bills in the past four years, including legislation to secure elections, study whether the growing use of encrypted apps hampers law enforcement, and hold companies accountable for the proliferation of insecure connected devices, people who track the legislation told POLITICO.

His panel “is the place where legislation goes to die on cybersecurity,” said Mieke Eoyang, a former Hill aide and vice president for the national security program at Third Way, a centrist think tank in Washington that works on national technology policy issues.

While no official accounting exists of cybersecurity bills in Congress, Third Way counted 15 in the last Congress that passed the House and didn’t advance through the Senate Homeland Security and Governmental Affairs Committee, which Johnson has led since 2015.

“The record speaks for itself,” former House Homeland Security Chairman Michael McCaul (R-Texas) told POLITICO, expressing frustration over the fact that Johnson hasn’t advanced cybersecurity bills that his panel approved.

Many of the 15 people POLITICO spoke with for this story refused to be named for fear of angering a chairman who holds sway over legislation now pending in Congress. But all agreed that Johnson either actively stymied cybersecurity matters or has shown little interest in advancing them in his committee, which oversees the Department of Homeland Security, one of the government agencies most focused on digital security.

Johnson came to Congress in 2010 touting his background in manufacturing as the basis for his strong anti-regulatory bent, which critics say is a chief reason he’s resisted cyber bills that could enforce new standards on industry. And since Donald Trump won the White House in 2016, the senator has adopted many of the president’s views — such as downplaying Russian interference in the last presidential election — and sought to focus on topics favored by conservatives.

“I think he’s more interested in the waste, fraud and abuse, and more the political issues,” a former committee staffer told POLITICO. “Immigration — that’s a political issue. Border security — that’s a political issue. Rooting out government fraud and waste — that’s a political issue.”

But Johnson and his aides say his critics have it all wrong. They maintain that he has explicitly focused on cybersecurity, and he and his defenders note he has proven instrumental to passing several key bills, such as one bolstering cybersecurity protections in the federal procurement process and a 2018 reorganization of the DHS cybersecurity wing.

“Protecting our nation against ever-evolving cyber threats is a significant challenge and one I take very seriously,” Johnson said in a statement to POLITICO. “We will continue our bipartisan, aggressive oversight and legislative efforts in the 116th Congress.”

He also noted that he has sent more than 100 oversight letters on cybersecurity to various agencies, such as a letter to Health and Human Services about how its new cyber center would interact with DHS.

“It’s something very important to him,” one of his aides said, speaking anonymously to POLITICO to provide background on his record. In this session of Congress, the aide said, his chief priorities are working on increasing the number of federal cybersecurity workers and delineating areas of responsibility in the federal government when it comes to cyber.

This week, his committee will mark up three cybersecurity bills that address research, workforce development and DHS’ cyber hunt and incident response teams. The business meeting was scheduled after POLITICO interviewed Johnson aides for this story.

Yet in October 2017, Johnson argued against major federal action on cybersecurity and criticized past congressional work on the matter, saying it was best left to the private-sector experts.

“When it comes to cyber, we’re all Gilligans,” he said at the time, comparing members of Congress to the bumbling, eponymous protagonist of the TV show “Gilligan’s Island” and another character, the Professor.

Johnson aides estimated that he has held 11 hearings or roundtables on cybersecurity during his four years atop the Senate Homeland Security panel, although POLITICO counted just five hearings that mentioned the subject in their titles. By comparison, the House Homeland Security Committee has held 12 hearings in the past two years.

To his critics, Johnson’s aversion to legislating on digital security became apparent soon after he came to Congress and opposed landmark cybersecurity legislation sponsored by Sen. Susan Collins (R-Maine) and then-Sen. Joe Lieberman (I-Conn.), both former leaders of the Homeland Security Committee. That sweeping bill included steps meant to nudge critical infrastructure owners to secure their systems and improve information sharing between industry and the federal government.

“He parachuted into the negotiations that had been going on for years, and with little background or awareness of the issues, he played a spoiler role and prevented progress toward consensus,” said one person familiar with past legislative efforts. The bill was defeated in 2012 after pushback from the U.S. Chamber of Commerce and others.

Johnson argued that the bill was bad for businesses because he contended it would introduce new regulations, according to a former congressional staffer.

Since he took over the Senate Homeland Security Committee, observers say a common pattern emerged on cyber bills: a string of questions from his staff, and then silence.

For instance, when McCaul and Sen. Mark Warner (D-Va.) introduced a bill in 2015 to study the spread of encryption on personal devices, it went to Johnson’s committee. A Hill aide said the chairman was interested but kept asking for changes, all which McCaul and Warner accommodated. Johnson didn’t act, and the aide said Johnson staffers explained that time ran out on the measure before the congressional session ended.

That same year, DHS unveiled a plan to reorganize part of the department chiefly responsible for cybersecurity. A former Obama administration official who advocated for the bill said Johnson staffers once again asked a lot of process questions. “They put us through the paces,” the official said. “It was painful.”

Three years later, the Homeland Security bill did become law.

Johnson’s committee didn’t take action during Congress’ last session on legislation to improve the security of connected devices, a bill sponsored by Warner and Sen. Cory Gardner (R-Colo.).

His panel also didn’t act on a modified version of the Secure Elections Act, a bipartisan bill that would, among other provisions, seek improved coordination between DHS and state and local election officials to improve overall election security and thwart attempts to hack voting machines. Sponsors of the bill tried to attach it to another measure in Johnson’s committee, but they withdrew it amid complaints from state officials.

Still, Johnson critics say he has done little to advance the legislation. In various conversations, according to a lobbyist familiar with the matter, Johnson said he was not planning to co-sponsor the Secure Elections Act, or any similar legislation, because he believed the “threat is overblown.”

But Johnson aides say inaction on cyber bills doesn’t necessarily mean the senator is working to derail those measures. His aides said some of their constraints are because floor time for full Senate debates and consideration is rare, which means anything the committee moves needs unanimous support, and some of the cyber bills the critics cite fell short of getting that in his committee.

For instance, the aides said, both Democrats and Republicans on the panel expressed skepticism about the capabilities of DHS to handle more cybersecurity responsibilities. And contrary to allegations that Johnson delayed the department’s reorganization efforts, his aides said, he gave his blessing to attaching the proposal to an omnibus spending bill early in 2018, only for an anonymous senator to block it.

He worked with other committees to overcome any objections, allowing it to pass later in the year, the aide said. They said he doesn’t let politics interfere in the committee’s work, pointing to several occasions where he worked closely with Obama administration DHS Secretary Jeh Johnson.

The bill creating a commission to study encryption, the aides said, didn’t muster support of the entire panel. The same was true with the Secure Elections Act, the aides said, adding that Johnson himself only supported elements of the bill. His comments on election interference have been misconstrued, they said — he considers it a threat, but wanted to give the threat context by pointing out that widespread hacking of election infrastructure would be difficult.

For every critic who says Johnson is not focused enough on the DHS side of his committee’s responsibilities, another says he’s not focused enough on his governmental affairs responsibilities, the aides said.

And not everyone who spoke to POLITICO sees Johnson as a hindrance to getting cyber legislation through Congress.

“He played a key role in passing [the DHS cyber reorganization bill] and leading the way on chemical facility security reauthorization legislation that contained an important cyber risk management provision,” said Matthew Eggers, the Chamber’s vice president of cybersecurity policy.

“There are a few things we’re considering legislatively that will be tough to tackle this Congress,” he said, such as legislation to provide liability protections to approved cybersecurity vendors. That’s a bill Johnson’s panel scheduled for consideration last year but pulled amid what he said were committee disagreements. “We look forward to working with Chairman Johnson on getting these priorities across the finish line.”

Martin Matishak contributed to this report.

Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here