Regardless of who won the presidential election, it was always expected that cybersecurity would continue to be a leading concern for business and government alike. As new cyber threats and the evolution of technology and the Internet of Things (IoT) become inevitable, cybersecurity is likely to increasingly be viewed as both an economic and national security priority. For these reasons, cybersecurity is a policy area likely to see both Executive Branch and legislative action in 2017.
Executive Branch Agenda
While President-Elect Donald Trump has yet to detail his cybersecurity agenda, perhaps the greatest insights on what his priorities might be were shared on the campaign trail during an October speech to the Retired American Warriors (RAWPAC). In his address, President Trump pledged to make cybersecurity an "immediate and top priority." Further, he went on to outline a four-pronged vision for cybersecurity improvements, including:
1) An immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector;
2) Instruction for the Department of Justice (DOJ) to create Joint Task Forces throughout the U.S. to coordinate federal, state, and local law enforcement responses to cyber threats;
3) An order for the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command (CYBERCOM), with a focus on both offense and defense in the cyber domain; and
4) Development of the offensive cyber capabilities needed to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.
Key Trump Administration Political Appointees and Career Staff
While nominees for a number of key cybersecurity posts have yet to be named, those already announced including Sen. Jeff Sessions (R-AL) to serve as Attorney General and Rep. Mike Pompeo (R-KS) to serve as Central Intelligence Agency Director (CIA) seem to signal that President Trump may take a hawkish approach to cybersecurity. At the White House, expect Homeland Security Adviser Thomas Bossert to also play a role in implementing President Trump's cybersecurity agenda.
The leadership of the Department of Homeland Security (DHS), Department of Commerce, Federal Bureau of Investigation (FBI), Federal Trade Commission (FTC), Federal Communications Commission (FCC) will also influence both domestic and international policies governing privacy, data collection, and information security. Gen. John Kelly, nominated to serve as DHS Secretary, has not been a prominent player on cyber, but has acknowledged cybersecurity as a "challenge without borders." Further, Wilbur Ross, the billionaire selected by President Trump to lead the Commerce Department, has articulated interest in enforcing a zero tolerance policy for intellectual property (IP) theft resulting from cyberattacks.
Although President Trump supports a stronger national security apparatus, he and Congressional Republicans also appear to favor a more laissez-faire regulatory state. In the year ahead, the FCC and the FTC are likely to apply a "light touch" to e-commerce, IoT, data security enforcement, and other areas affecting the Internet and connectivity. We expect President Trump will name and the Senate will confirm free market advocates to these two agencies, such as American Enterprise Institute (AEI) scholar Jeffrey Eisenach to the FCC and former FTC commissioner Joshua Wright to the FTC. These two figures could be Commission Chairs but so could current commissioners, such as FCC Commissioner Ajit Pai and FTC Commissioner Maureen Ohlhausen, both of whom Senate Republicans likely would support as chairs.
Finally, it remains to be seen how President Trump may seek to leverage Obama Administration career officials to execute his cybersecurity agenda. For example, both Federal Chief Information Officer (CIO) Tony Scott and Federal Chief Information Security Officer (CISO) Greg Touhill have expressed interest in continuing to serve under President Trump and may offer some continuity in the Executive Branch's implementation of cybersecurity policy. It is also unclear how the Trump Administration may integrate the recommendations of the Commission on Enhancing National Cybersecurity into its cybersecurity agenda.
Notable Congressional Committee Changes/Caucus Activity
Several Members of Congress who have led congressional committees with jurisdiction over cybersecurity or otherwise emerged as leading voices on information technology (IT) policy will continue to do so in the 115th Congress. One notable change, however, is that Sen. Claire McCaskill (D-MO) will take over for Sen. Tom Carper (D-DE) as Ranking Member of the Senate Homeland Security and Governmental Affairs Committee (HSGAC). Additionally, Sen. Mark Warner (D-VA) will become the top Democrat on the Senate Intelligence Committee, replacing Sen. Dianne Feinstein (DCA), who will now serve as Ranking Member of the Judiciary Committee.
Complicating the prospects for the passage of cybersecurity legislation in the new Congress will continue to be the fact that no one committee has complete jurisdiction over the issue. By one count, there are at least 78 congressional committees and subcommittees tasked with overseeing cybersecurity. Jurisdictional issues may receive some attention early in the new Congress, with a growing call led primarily by Sens. John McCain (R-AZ), Lindsey Graham (R-SC), Cory Gardner (RCO), Chuck Schumer (D-NY), and Jack Reed (D-RI) to establish a select committee on cyber to investigate Russia's use of cyber tactics to influence the 2016 U.S. presidential election. This proposal has been rejected by Majority Leader Mitch McConnell (R-KY). The Senate Armed Services Committee will hold a hearing on foreign cyber threats to the U.S. on January 5th.
Since it appears likely that a number of committees will continue to have jurisdiction over cybersecurity for the foreseeable future, we expect the Congressional Cybersecurity Caucus led by Reps. Mike McCaul (R-TX) and Jim Langevin (D-RI) and the new Senate Cybersecurity Caucus led by Sens. Gardner and Warner will play an especially important role throughout the 115th
Congress in creating platforms for Members and key staff to keep informed on major policy issues and developments in cybersecurity, including impacts on national security, the economy, and digital commerce.
Potential Legislative Activity
On Capitol Hill, there is expected to be ongoing bipartisan interest in updating the federal government's cybersecurity standards and increasing resources to ward off cyberattacks. In his FY17 budget request, President Barack Obama included a $5 billion increase in cyber spending, ultimately blocked by Congressional Republicans. Budget experts believe the Republican-controlled Congress may be more receptive to an increase in cyber spending directed by a Republican White House.
As we have seen in the past, cybersecurity jumps to the top of the legislative agenda in the aftermath of any high profile cyberattacks. There are some who have cautioned the incoming Trump Administration to be on high alert for potential cyberattacks in the early days of the new Administration, perpetrated to test the incoming President. If there were to be a large scale cyberattack, it is likely many existing policy proposals would serve as the foundation for a legislative response.
In particular, legislation that could be revisited in the new Congress might include the Digital Security Commission Act, the encryption bill introduced by Sen. Warner and Rep. McCaul, and the Modernizing Government Technology (MGT) Act, a bill championed by Rep. Will Hurd (R-TX) that would authorize funds to upgrade IT across federal agencies. This legislation passed the House in 2016, but did not receive a vote in the Senate prior to adjournment. Additional hot topics may include encryption, data collection, European Union (EU)-U.S. privacy shield, critical infrastructure protection, IoT/smart cities, cyber hygiene, IT modernization, cyber workforce, and federal IT acquisition.