Reconciliation of China bills in Congress could produce big cybersecurity wins

Congress deserves mixed grades for its recent efforts to strengthen the nation’s cybersecurity and improve the resilience of its critical infrastructure. If Republicans and Democrats can find a path forward to integrate the Senate’s U.S. Innovation and Competition Act (USICA) with the House’s America COMPETES Act, Congress could make substantial, long-term investments in America’s technology future.

The two bills would build upon important but insufficient cybersecurity provisions in recent legislation. The Infrastructure Investment and Jobs Act, which President BidenJoe BidenGas prices hit new record of .43 per gallon, up 79 cents in two weeks Five key developments in Russia's invasion of Ukraine Biden's CIA head leads the charge against Putin's information war MORE signed into law in November, contained $1 billion to enhance the cybersecurity of state and local governments and established a Response and Recovery Fund for major cyber incidents. Yet that law’s support to specific critical infrastructure sectors was inconsistent and missed some glaring weaknesses, such as those of the water sector.

Similarly, the National Defense Authorization Act (NDAA) for Fiscal Year 2022, which the president signed into law in December, had 40 cybersecurity-specific authorizations. But during conference, Congress dropped some of the most significant provisions, such as mandatory incident reporting.

Now, lawmakers get another bite at the cybersecurity apple as Congress sets up its conference committee to adjudicate USICA (which passed on a bipartisan basis last June) and the COMPETES Act (which passed last week on a nearly partly-line vote).

House and Senate lawmakers have a $52 billion starting point: Both bills contain $52 billion in funding for the CHIPS Act, which establishes a grant program to support domestic semiconductor production. Congress passed the CHIPS Act on a bipartisan basis as part of the FY2021 NDAA.

CHIPS funding is the most headline grabbing (and expensive) single issue in the two bills, but it is by no means the only important cybersecurity and critical infrastructure provision. The USICA and COMPETES bills have similar cybersecurity provisions in three arenas that House and Senate members can easily reconcile and embrace. 

First, both bills seek to rectify dramatic shortages in the federal cyber workforce. They invest in STEM education and create rotational cybersecurity positions giving federal employees the flexibility to gain experience and skills. The House bill also expands “CyberCorps: Scholarship for Service,” a critical, ROTC-like program for the federal cybersecurity workforce, from its current $60 million annual budget to $90 million by fiscal year 2026. This will increase both the number of students (future federal employees) and the number of universities and community colleges involved. Such a provision would likely receive bipartisan support in the Senate.

Second, both bills invest in U.S. leadership in international technical standards-setting bodies like the International Telecommunication Union. This arena has become a crucial battlefront in the contest between Western values of a free and open internet and the authoritarian push for ever-greater state control and censorship. Beijing has aggressively sought to gain leadership positions and promote technically flawed proposals in these forums in order to distort and weaponize the bodies against the interests of America and its partners. Both bills thus strive to improve America’s response to Chinese maneuvering. 

Third, both bills increase funding for the State Department’s Global Engagement Center, an important agency for battling foreign disinformation campaigns.

Next, the conference members should work to reach agreement in several other areas tackled only in one chamber’s bill.

The House bill, importantly, requires the executive branch to develop a strategy for “information and communication technology critical to the economic competitiveness of the United States.” Such a strategy would ensure that America is not dependent on untrusted vendors beholden to foreign powers or who otherwise have lax security. 

Three other provisions of note: the House bill 1) designates “Critical Technology Security Centers to evaluate and test the security of technologies essential to national critical functions,” 2) creates international capacity-building programs to improve the cybersecurity of U.S. allies and partners, and 3) supports the software security and digital privacy work of the National Institute of Standards and Technology.

Meanwhile, the most significant provision unique to the Senate bill creates a National Risk Management Cycle to “identify, assess, and prioritize cyber and physical risks to critical infrastructure.” Understanding these risks is the foundational step to properly resourcing U.S. government efforts to defend against, mitigate, and deter these threats. In its comprehensive March 2020 report on U.S. cyber strategy, the Cyberspace Solarium Commission noted that the U.S. government “lacks a rigorous, codified, and routinely exercised process” for identifying risk. Even where the government has identified critical infrastructure risks, a lack of sustained funding has limited the mitigation and management of the risks over time. A National Risk Management Cycle would begin to rectify this problem.

The Senate version also includes provisions to create regional technology hubs built on partnerships among industry, academia, and workforce groups to support domestic high-tech job growth in areas of the country that have not been historic innovation centers.

A successful bipartisan conference should result in numerous meaningful cybersecurity provisions enacted into law. While not as flashy as CHIPS, they collectively lead to more effective cybersecurity and more resilient critical infrastructure.

Retired Rear Admiral Mark Montgomery is a senior fellow at the Foundation for Defense of Democracies (@FDD) and senior director of FDD's Center on Cyber and Technology Innovation (CCTI). He previously served as a senior adviser to the Cyberspace Solarium Commission. Annie Fixler is deputy director of CCTI. Follow the authors on Twitter @MarkCMontgomery and @AFixler. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.

Comments are closed.