While most political observers were focused last week on the debates surrounding passage of the so-called “Cromnibus” spending bill, less noted was the fact that the U.S. Congress managed to pass a number of cyber-security bills in a rare moment of bipartisanship and cooperation between the House of Representatives and the Senate.
One bill, the Cybersecurity Workforce Assessment Act, was passed in the House by voice vote on Thursday. Originally introduced by Rep. Patrick Meehan (R-PA), the bill directs “the Secretary of Homeland Security to assess the cybersecurity workforce of the Department of Homeland Security (“DHS”) and develop a comprehensive workforce strategy.” Specifically, the Secretary must identify key positions related to cybersecurity and create a strategy for enhancing the readiness, capacity, training, recruitment, and retention of cybersecurity personnel within the DHS. The strategy must include a five-year implementation plan and a ten-year projection of the cybersecurity workforce needs of the DHS.
The final bill is slightly less demanding than the original. Whereas Congressman Meehan wanted the Secretary of Homeland Security to report to Congress every two years on the status of cybersecurity, the final version includes a mandate to report every three years. The original bill also would have required the Secretary to seek advice from academics and other private-sector analysts on the proper methods for ensuring cybersecurity, whereas the final bill only requires input from within the Department of Homeland Security.
Another cybersecurity measure passed last week was the Intelligence Authorization Act. The primary purpose of this bill is to appropriate funds to the various intelligence agencies, but a number of cybersecurity-related provisions were included. For instance, Congress directed the Director of National Intelligence to conduct a study on the feasibility of “consolidating classified databases of cyber threat indicators and malware samples in the intelligence community.” This study will include an inventory of classified databases of cyber threat indicators and any impediments to consolidation. Congress also asked the Director to examine how to retain cybersecurity specialists within the intelligence community.
Even though the Intelligence Authorization Act had broad, bipartisan support, its passage was not without difficulty. Just before it was put to a vote, the Senate quietly inserted an amendment dealing with “procedures for the retention of incidentally acquired communications.” The amendment, section 309 of the Act, requires authorities in the intelligence community to adopt procedures for disposing of private communications that were obtained without a warrant, subpoena, or similar legal device. The bill places a five-year limitation on the retention of such communications, unless they are determined to be necessary for national security purposes, criminal investigations, or are from people not protected by the Foreign Intelligence Surveillance Act.
The House originally intended to pass the Senate version with a voice vote. At the last minute, however, the staff of Rep. Justin Amash (R-MI) noticed the new Senate provision. Congressman Amash rushed to the House floor and demanded a recorded vote. He urged his colleagues to vote against the measure, arguing that the amendment would allow the intelligence community to transfer private communications obtained without a warrant to domestic law enforcement for criminal investigations. Supporters responded that the new measure would actually restrict warrantless data collection. The bill passed the House on a 325-100 vote.