No one should doubt that Congress's record on cyberspace issues is dismal. The Bush and Obama administrations both bemoaned Congress's expertise and engagement in this field. Much of its legislation follows Edward Snowden's 2013 disclosures of cyber surveillance programs. But one struggles to find the real benefits of laws like the Federal Information Security Modernization Act, the USA Freedom Act, and the Cybersecurity Information Sharing Act addressing discrete cyber issues quite minimally. If anything, Congress's fractured approach to cyberspace issues reveals that legislators are unable to view and address cross-cutting cyber issues strategically. The solution is to establish a joint cyberspace committee.
Congress's cyber legislation should be measured by the degree to which it reforms its own committees and the executive branch. It sounds daunting, but Congress has undertaken similar tasks at least twice in the last century. World War II prompted the first episode; a reform-minded public and legislature of the 1970s fueled the second. As during those Cold War periods, emerging threats, global security interests, surveillance concerns, and government accountability animate today's public debates about cyberspace. In the digital age, however, Congress has been impotent to address them.
Given today's political environment it would take enormous courage and the leadership of many true statesmen to accomplish the feat. Assuming those resources could be mustered, consider what else may be needed. During the immediate post-war years Congress set out to reconstitute the defense and intelligence establishment. The shared experience of the war and common concerns about communism and the Soviet Union drove quick action. There is no such common understanding or cause in today's cyber debates.
Another early-Cold War lesson is there must be significant harmony between the executive and legislative branches on thorny constitutional issues. Through the National Security Act of 1947 Congress created a new department of defense to unify the military services, a civilian secretary to lead the department, a staff of military service chiefs to coordinate military planning, a national security council to coordinate executive branch policymaking, and the CIA as a function of national security planning processes. To do this it drew upon numerous constitutional powers shared with the president.
Congress also had to reform its own committees to provide suitable frameworks and processes for the branches to operate effectively. Creating new armed services committees through the Legislative Reorganization Act of 1946 was essential because it enabled Congress to legislate for and oversee the new military system. Note that Congress adjusted its own structures before recasting the executive branch through the National Security Act.
Such framework legislation was a common feature of the 1970s reform initiatives as well. The Legislative Reorganization Act of 1970 embodied the multi-year work of a joint congressional committee to reform committees and procedures. The National Emergencies Act of 1976 established processes for the president to make the public and Congress aware of states of emergency. The International Emergency Economic Powers Act of 1977 provided a mechanism for the president and Congress to address shared constitutional powers relating to international and fiscal emergencies. The Foreign Intelligence Surveillance Act of 1978 established the court system under scrutiny in today's cyber intelligence debates. These and other laws adjusted the framework created after World War II. In so doing they reflected Congress's twin desires to regulate wide-ranging executive emergency powers and carry out its legislative functions more comprehensively.
Congress has not taken similar comprehensive steps to posture government for the digital age. The Federal Information Security Management Act of 2002, for example, created a common management framework to address cybersecurity in civilian federal agencies; however, the costly bureaucratic regime could not measurably or reliably improve cybersecurity. The attacks of September 11 then fully redirected Congress's attention. Viewing digital-age security issues through a counterterrorism lens, Congress inadequately addressed interrelated cybercrime, intelligence, military, commercial, consumer protection and other cyberspace issues through the Homeland Security Act of 2002 and the Intelligence Reform and Terrorism Prevention Act of 2004.
The former, hastily drafted and passed, clustered cyber, communications,and related critical infrastructure functions from five different agencies in the new department of homeland security. It empowered the secretary to deliver a limited range of cybersecurity services to most parts of government and, more rarely, to state and local governments and the private sector. It did not, however, alter Congress's committee structure to work with the new department. The law thus provides inchoate treatment of cybersecurity as a public-private, intergovernmental, global interest spanning national counterterrorism, critical infrastructure protection, emergency response, law enforcement, information sharing and other objectives. This remains true even after the National Cybersecurity Protection Act of 2014.
The 2004 intelligence reform law more closely approximates Congress's strategic military-intelligence reforms of the 1940s and 1970s. It created a director of national intelligence, the national counterterrorism center, a FBI intelligence directorate and an information sharing infrastructure with the private sector and state and local governments to plan and carry out various functions with cyber and other counterterrorism objectives at their core. With respect to many cyber issues, however, the new homeland security and intelligence regimes offer competing, duplicative frameworks for government to develop expertise and judiciously apply limited resources to multi-faceted national strategies.
Over the last decade Congress has reaffirmed the primacy of counterterrorism objectives in its treatment of cyberspace concerns. Funding decisions and amendments to the Foreign Intelligence Surveillance Act have confirmed Congress's interest in developing cyber perspectives and capabilities primarily through military and intelligence agencies. Congress also oversaw the evolution of a new U.S. Cyber Command with 6,000 cyber warriors capable of performing offensive and defensive military cyber actions domestically and abroad. The argument is not that these undertakings are objectively unnecessary or misguided, only that they reflect the structure and processes of a Cold War Congress to the detriment of a government that must view security through a digital-age lens.
To be sure, the Obama administration's 2011 so-called "comprehensive" cybersecurity proposal—full disclosure, I helped shape it as a senior homeland security attorney—was not a panacea. Nor could it recommend committee structures and processes for Congress. As might be expected and despite the significant efforts of numerous Senate and House committees, Congress rejected the proposal and failed to pass alternative Senate and House bills in 2012 and 2013. This, too, should not be surprising considering Congress has not implemented the 9/11 Commission's 2004 recommendation to reform committee structures and processes to enable efficient relationships on homeland security matters.
In short, Congress has ceded important constitutional leadership roles on cyberspace issues that, arguably, will remain longer and evolve more rapidly than current terrorism concerns. The opportunity cost can be calculated many ways. It certainly includes a lack of cyber expertise that legislators and committee staffs could have developed. It also includes oversight and public debate on cyber intelligence and law enforcement matters that have roiled the nation particularly since Snowden's disclosures. The tally must also include the nation's ability to address geostrategic cyberspace concerns and balance them against economic, counterterrorism and other policy interests. Bringing unity of purpose to Congress's many cyberspace and security interests and functions is Congress's most hopeful way forward.
If the end of the Cold War is any guide, that can take time. For example, military and intelligence communities struggled to adapt to the Soviet Union's collapse despite a decade's worth of study. One relevant example is this 1999 NSA statement [PDF] of its overriding challenge: "NSA is an organization ripe for divestiture: its individual capabilities are of greater value than is the organization as a whole." The agency envisioned a future in which it "operates and thrives in the net" as part of a plan to demonstrate value beyond the sum of its signals intelligence, information assurance, and military support functions. One hopes for such strategic, self-critical evaluation within government's security establishment. As for the proposed solution, it implicates many cyberspace issues that are not unique to intelligence, military, or other government or private organizations. Regrettably, Congress played no demonstrable role in helping the executive branch and the public comprehend and shape such policy preferences.
A joint cyberspace committee would bring sustained focus to such issues. It would enable Congress to develop a broad base of staff expertise, communicate with the executive branch efficiently, and prepare to oversee or legislate for any new or reformed executive branch entities. All options should be on the table to order and administer cyberspace matters across foreign affairs, defense, commercial, technical, regulatory, and other governmental functions. The approach could also enable Congress to bring new perspectives and solutions to recent cyber stalemates. It is a generational leadership challenge, but it is not so novel or difficult that it cannot be envisioned and achieved.
David G. Delaney is a visiting assistant professor at the Maurer School of Law and senior fellow at the Center for Applied Cybersecurity Research at Indiana University.
Suggested citation: David G. Delaney,Congressional Cyber Leadership through a Joint Committee, JURIST - Academic Commentary, January 26, 2016, http://jurist.org/forum/2016/01/david-delaney-cyber-legislation.php.
This article was prepared for publication by Alix Ware, an assistant Editor for JURIST Commentary. Please direct any questions or comments to her at firstname.lastname@example.org