BY: ERIC GELLER | 11/17/2022 05:01 AM EST
With Republicans set to take control of the House in January, the Biden administration is about to see smooth sailing on cybersecurity policy turn into choppy seas.
A GOP-led House is likely to rebuff the White House’s efforts to expand cyber rules for critical infrastructure firms, push back on federal efforts to improve election security and question President Joe Biden’s attempts to lavish money on the government’s cyber defense agency.
Over the past few years, a bipartisan congressional focus on cybersecurity has given the administration multiple big wins, including major cyber incident reporting legislation. But three of the lawmakers key to those achievements — two of them Republican committee leaders — are retiring in January, and as they head for the exits amid a transfer of power in the House, their emphasis on cybersecurity will be leaving with them.
That shift will be felt across a wide range of cyber policy issues, but the effects may be most profound in three areas of special interest to the Biden administration.
Overseeing critical infrastructure
Despite years of high-profile hacks exposing serious weaknesses in U.S. critical infrastructure, many vital companies still aren’t required to implement basic cyber defenses like multi-factor authentication and robust employee security training. The Biden administration is trying to change that by making the most of agencies’ existing authorities, but officials have said that they need Congress to expand those authorities.
The EPA is using its existing authority to issue new cybersecurity regulations soon, and the White House has also asked lawmakers to make those authorities broader and more explicit. And the government completely lacks the ability to mandate cyber protections for key manufacturing industries, major IT firms and emergency services providers, officials have said.
Had Democrats held the House along with the Senate, the White House would likely have been able to convince congressional leaders to slip language authorizing new regulatory powers into a must-pass bill, which is how most recent cyber legislation has become law.
But Republicans have consistently expressed skepticism about expanding the government’s regulatory authority, and several key lawmakers have signaled wariness about new cyber rules that might prove too uniform and too burdensome for industry.
Cathy McMorris Rodgers (R-Wash.), who is likely to chair the House Energy and Commerce Committee in the next Congress, recently said her party would seek to avoid a “one-size-fits-all” approach to regulation.
For Republicans, opposing new cyber rules would also fit into their broader anti-regulation agenda, which plays into their traditional arguments about preventing government overreach and promoting private-sector innovation. Even Republicans who might otherwise be inclined to support some new authorities will face intense pressure to line up against the Biden administration’s proposals.
Boosting the government’s cyber agency
Just as newly emboldened Republicans are expected to apply their broader regulatory skepticism to critical infrastructure protection, they’ll also apply their broader qualms about federal spending to CISA, one of the most rapidly funded agencies in the government.
Since its creation in 2018, CISA has received massive funding increases to help it meet a significantly broadened portfolio of responsibilities, such as increased monitoring of other agencies’ networks and expanded teams of regional experts. But even as lawmakers in both parties continue pushing CISA to take on more of the country’s cyber problems, the agency’s consistent budget increases could fall victim to House Republicans’ deficit warnings.
Rep. John Katko (R-N.Y.), who is retiring in January after serving as ranking member of the the House Homeland Security Committee, envisioned CISA becoming a $5 billion agency over the next few years. With his departure, there are few House Republicans left who see things his way.
Republicans are unlikely to end budget increases for CISA altogether, but they will likely begin using hearings to grill CISA leaders on exactly how they’ve put existing funds to work.
Rep. Chuck Fleischmann (R-Tenn.), the ranking member and potential next chair of the House Appropriations homeland security subcommittee, offered a preview of this strategy at an April hearing. “Does CISA need time to mature as an organization before continuing to grow at this pace?” he asked CISA Director Jen Easterly.
If agency officials can’t provide satisfactory answers, House Republicans could express their displeasure through the appropriations process.
Republicans’ razor-thin House majority also means that a handful of renegade members could block leadership’s agenda if they’re displeased with a funding bill that rewards an agency they view as insufficiently budget-conscious.
The GOP-led House in the 118th Congress will be significantly more right-wing than its predecessors, giving more power to lawmakers who have spread false claims of rigged voting machines and corrupt election administrators.
House Minority Leader Kevin McCarthy (R-Calif.), who is almost certain to be the next House speaker, has promised to restore the committee assignments that Democrats stripped from Rep. Marjorie Taylor Greene (R-Ga.), who has repeatedly promoted false claims of widespread voter fraud in Georgia during the 2020 election.
The rise of these far-right members may position the House decisively against a number of policies proposed by election integrity advocates, computer scientists, think tank experts and former election officials to help protect future contests from hackers, including through better voting machines and more effective ballot verification.
Federal grants could help state and local election officials replace old and insecure equipment, fix vulnerable voter databases and develop incident response plans. National standards could accelerate the adoption of widely recommended practices, including statistics-based post-election checks known as risk-limiting audits. A more aggressive and coordinated approach to countering misinformation could make it harder for foreign powers to exploit Americans’ grievances.
A Republican-led House is unlikely to pursue any of those policies. Bipartisan election security legislation already failed in 2019 because Republicans viewed it as trampling on states’ rights and implicitly rebuking former President Donald Trump. By the time the new session of Congress opens, Republicans in both chambers will have only moved further to the right.
CISA could also see less support for its election security initiatives from a GOP-controlled House. The agency’s fact-checking website debunks some of the very falsehoods that Greene and her fellow Republicans have promoted, and its cybersecurity advisories have occasionally warned against risky election practices in ways that Republicans could see as interfering with states’ rights.
In one notable example, CISA urged states not to use internet voting, a technology that has been championed by West Virginia’s outspoken Republican secretary of state, Mac Warner. Voting security experts say that internet voting is extremely unsafe, but now that Republicans control the House, Warner and other conservatives could find a receptive audience for their message that Washington needs to step back and let states decide what’s best for their voters.