If the bill passes next week and is signed into law, another amendment would codify cybersecurity roles for sector-specific agencies.
Language calling for a national cyber director within the Executive Office of the President is included in a final 2021 National Defense Authorization Act, which the House will soon vote on, according to Rep. Jim Langevin, D-R.I.
In an interview with Nextgov, Langevin said the House will vote next week on the roughly $722 billion defense bill that is chock full of cybersecurity provisions that will affect all agencies. The Senate on Wednesday also agreed to proceed on the bill, which the chair and ranking member of the House Armed Services Committee announced has achieved bicameral agreement.
Members of both chambers have been in conference to reconcile the House and Senate versions of the bill, which both passed with veto-proof majorities. Members of Congress are committed to moving forward on a final conference report despite renewed threats from President Trump who has insisted the defense bill should remove liability protections in place for social media companies.
“I don’t think the president wants to be in the position ultimately of vetoing,” the crucial national security provisions included in the NDAA, Langevin, chairman of the House Armed Services subcommittee on intelligence and emerging threats and capabilities, said.
The call for a national cyber director is seen by much of the cybersecurity community as one such provision. But where the House-passed bill included the provision, the Senate-passed version only called for a report on the merits of establishing the office and its accompanying staff. But the provision enjoyed the support of key members, including Senate Homeland Security Committee Chairman Ron Johnson, R-Wis., and Langevin said “yes,” it’s in the final version.
Langevin has said he would like to see former National Security Agency Deputy Director Chris Inglis in the position.
The congressman also highlighted the inclusion of an amendment he offered to codify the designation of sector-specific agencies that would bear the responsibility of assisting private-sector entities secure the critical infrastructure they own and operate. The president would only be able to designate Chief Financial Officer Act agencies.
The roles and responsibilities for such agencies were laid out in a 2013 presidential directive which Langevin said agencies have differed greatly in implementing.
“The Department of Energy is doing a lot in terms of working with the private sector critical infrastructure,” Langevin said, for example. “But [the Environmental Protection Agency] is not doing much of anything and I don't think they at all understand the cyber risks or what their role and responsibility to work with the private sector really is.”
Langevin stressed that the support the designated agencies provide to the private sector would be entirely separate from their regulatory enforcement functions. That, he said, will be important for encouraging private-sector cooperation toward establishing a collaborative connection and structure.
“They need to understand that it's not a regulatory function or relationship so they take the fear factor out of it,” he said.
Both provisions, along with numerous others, were hatched from recommendations of the congressionally mandated Cyberspace Solarium Commission, which includes Republican, Democratic and Independent lawmakers, members of the administration, as well as private-sector leaders.