A bipartisan contingent of House members last week sent a letter to congressional leaders requesting their support for funding in future COVID-19 relief legislation for state and local governments to modernize their information technology (IT) infrastructure to better cope with demands from their citizens in crises while also bolstering the security of their networks.
The request for the federal government to help state and local governments with their IT needs aligns with one of the recommendations from the recent Cyberspace Solarium Commission that calls for incentives to encourage states and municipalities to migrate to cloud computing services.
"In the bipartisan CARES Act, we recognized the vital role states and municipalities are playing on the front lines of this crisis and provided funding both to address COVID-specific needs and to help administer federal programs that are managed by state agencies," the 25 House members wrote on May 18 to top House and Senate leaders in both parties. "However, these investments are insufficient to address the significant technical challenges states continue to face, nor will they address rising cybersecurity concerns as more work is conducted remotely."
The request was led by Reps. Jim Langevin (D-R.I.), Michael McCaul (R-Texas), Cedric Richmond (D-La.), and Mike Gallagher (R-Wis.) and the letter was released by Langevin's office last Friday. Gallagher is co-chair of the Cyberspace Solarium Commission and Langevin is a commissioner. In March, the commission made more than 75 recommendations aimed at strengthening the nation's cyber security posture and capabilities.
Langevin is working with his House colleagues to get "as many" commission recommendations into legislation this year as possible, including as part of the National Defense Authorization Act (NDAA) or otherwise, he said in an interview with Defense Daily on Friday. This is a "top priority for me and Congressman Mike Gallagher," Langevin added.
That's true in the Senate with Sen. Angus King (I-Maine), the other co-chair of the commission, and Sen. Ben Sasse (R-Neb.), who is also a commissioner, Langevin said.
One of the top priorities is the creation of a Senate-confirmed National Cyber Director (NCD) in the executive branch with "policy and budgetary authority for coordinating defense of the government and whole of nation incident response," Langevin said.
Langevin said he has support for the NCD position from Rep. Carolyn Maloney (D-N.Y.), the chairman of the Committee on Oversight and Reform. He said she plans to host a hearing soon on the NCD recommendation.
Sen. Ron Johnson (R-Wis.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, last week said he also supports the NCD position but wants more clarification from the commission about the position to ensure it is able to cut through the bureaucracy rather than add to it.
Another priority is establishing an Assistant Secretary of State for Cyber, who would lead a Bureau of Cyberspace Security and Emerging Technologies, Langevin said. The commission emphasized the need for the U.S. to work with international partners and allies to establish norms of behavior in cyberspace.
The COVID-19 pandemic has demonstrated the need to focus on economic continuity amid a crisis, he also said.
"We see a lot of parallels between the types of things that need to be done if there were a major cyber incident and also what we're experiencing because of COVID so we want to make sure the cyber infrastructure is strong and we're doing continuity of economy planning," Langevin said.
Related to planning for economic continuity is the recommendation to help state and local governments with their IT modernization and cloud migration, he said.
"That's a big deal," Langevin said in the interview. "So many states have antiquated IT infrastructure and security vulnerabilities that go along with that but if we upgraded and improved IT infrastructure and we incentivize and help support states and municipalities moving to the cloud, that has the added benefit of improving their IT and their applications but also to surge whenever more capacity is needed."
Creating a National Risk Management Cycle and clarifying roles and responsibilities at sector risk management agencies is another priority, he said.
Longer term priorities for getting commission recommendations through Congress include the creation of select committees in the House and Senate for most federal cyber issues, Langevin said. This will develop cyber security expertise within Congress, more coordinated oversight of cyber security, and move with "greater agility" on getting cyber legislation through Congress, he said.
The creation of a Bureau of Cyber Statistics within the Department of Commerce is also a longer-term priority, Langevin said. This office would collect data on breaches and "measure risk and effectiveness of various cyber security measures," he said.
While these may be longer term efforts, Langevin didn't say there wouldn't be an attempt to get them into legislation this year.
"We're going to try and get as many of these into the NDAA as possible or other mechanisms in Congress," he said, mentioning the Homeland Security Committee.
Rep. Bennie Thompson (D-Miss.), chairman of the Homeland Security Committee, told Langevin on Friday he is planning on hosting a hearing in the near-future on the commission's findings and report. In addition, Langevin, who chairs the Emerging Threats and Capabilities Subcommittee of the House Armed Services Committee, is planning a hearing soon as well on the commission's findings.
Langevin said to stay tuned for when his subcommittee marks up its portion of the fiscal year 2020 NDAA within the next month for what commission recommendations he'll have in the bill.