Cybersecurity
Does Cybersecurity Governance Require centralization?
The pros and cons of dedicated cybersecurity committees in Congress
Cybersecurity is a complex, multidimensional issue that lacks a clear, agreed-upon definition. The lack of clarity is partly because cybersecurity’s issue dimensions are driven by changes in technology. As more industries move their operations and data online they become vulnerable to unauthorized access, vandalism, theft, and manipulation. New vulnerabilities in different economic sectors add dimensions to cybersecurity as a policy problem; the U.S. farm credit bureau moving its financial reporting processes to the “cloud” means cybersecurity governance will now overlap with agriculture policy.
Governing institutions are not typically organized to issues like cybersecurity that sprawl across multiple executive agencies and committee jurisdictions. Through 2014, more than 30 different congressional committees had held at least one hearing on a cybersecurity-related issue, ranging from the Appropriations Committees that determine agency funding to committees with jurisdiction over military, law enforcement, and commerce issues to the Senate Aging Committee.
The Cybersecurity Solarium Commission’s Proposal
The fiscal 2019 National Defense Authorization Act established a bipartisan Cybersecurity Solarium Commission to address the lack of cohesion in U.S. cybersecurity policy and “develop a consensus on a strategic approach.” The Commission’s report, released in March of this year, called for centralizing cybersecurity governance in two ways: by creating congressional committees devoted specifically to cybersecurity and establishing a national cybersecurity coordinator within the executive branch.
Calls to reorganize and centralize governing institutions are not unique to cybersecurity. Congress is often criticized for fragmented approaches to policymaking that result from jurisdictional overlap; different committees work on their own particular components, so the argument goes, without the cohesion needed to address complex problems. Eliminating committees and restructuring jurisdictions were central to congressional reorganization efforts in 1946, 1970, and the early 1990s. The September 11, 2001 terrorist attacks led to a new agency that centralized government homeland security and immigration tasks just as the energy crisis of the 1970s did with energy-related programs.
As proposed by the Solarium Commission, the cybersecurity panels (one in each chamber) would mirror the existing Intelligence committees, with the chairs and ranking members of other cybersecurity-related committees would serving as ex officio members. Select committees can have value by institutionalizing issue attention and providing a venue for different perspectives. Having committees focused only on cybersecurity could bring in a broader array of witnesses and allow the other panels to focus on other matters.
Centralized Governance Carries a Downside
Despite some of the benefits that centralized committees may bring, centralizing cybersecurity governance would raise questions and downstream problems for congressional policymaking. The Solarium Commission’s proposal would maintain the Appropriations, Armed Services, and Intelligence committees’ jurisdictions, so we would still have some fragmented congressional authority.
One question important for reorganizing committee jurisdictions is: what kinds of members would the new cybersecurity panels attract? A member’s personal and political goals are important for determining who participates in a committee’s work and how they participate. What kinds of members would want to lead the committee initially? Would they be the legislators who care most about cybersecurity or those who want the additional institutional resources and power that come from being a chair and ranking member? The House Homeland Security Committee focused largely on distributive policies early in its existence as its members directed grants to their districts; cybersecurity committees intended to “develop a consensus” might instead focus on providing localized benefits.
Congress also should consider how creating new committees with jurisdiction over cybersecurity would affect the remaining committees and particularly their ability to conduct oversight. Cybersecurity is not only an issue on its own, it’s also a dimension of other issues like banking, law enforcement, and health care. The Internet of Things (Internet-connected or “smart” technologies), for example, creates cybersecurity concerns for consumer products. Regulation of those products would then fall under both the cybersecurity committee and the existing Commerce Committees, which gives agencies and private sector witnesses opportunities for strategic evasion. We have seen high-level executive branch figures refuse to testify before committees over the past several years; the lack of clarity over the boundaries of what defines cybersecurity could allow potential witnesses to claim that the issue on which they’re called to testify falls within one committee’s jurisdiction but not the other, to claim that something is or is not a cybersecurity issue.
So what’s the answer? Some issues like cybersecurity that change with the adoption and diffusion of technologies across economic sectors might resist centralization in both the legislative and executive branches. Every agency is essentially part of the target population for cybersecurity policies due to the adoption of certain technologies within government, even to the extent that the Department of Defense wonders if an (Internet-enabled) “air conditioner could take down a military base.”
As new technologies develop, new vulnerabilities arise, and the component dimensions of cybersecurity policy issue grow and change, a committee with sole jurisdiction over cybersecurity would still have to prioritize those dimensions, which would prevent sustained attention to any one cybersecurity-related problem.
Duplication and redundancy within government are seen as inefficient, but they have their own value. Having multiple committees and agencies with authority over some aspect of cybersecurity means that if one governing unit misses something or favors certain interests, other venues within the same institution can bring in other voices and catch what was missed. And while a committee system might resist cohesive cybersecurity strategies, the financial services committees likely are better suited to craft and oversee standards appropriate to the banking industry, and likewise the energy committees with the energy sector, rather than a “one-size-fits-all” approach applied to industries with different sets of vulnerabilities and concerns.
