Jim Langevin (D-R.I.) chairman of the House Committee on Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems, said the bill would help provide a whole-of-government response to major cyber incidents.
Langevin, also a member of the Cyberspace Solarium Commission, said the bill would also give the White House another approach to set cyber boundaries with adversaries besides “exclusively through a military lens.”
“We can’t approach cyberspace with such a one-sided understanding. We must instead leverage a whole-of-society approach that takes into account the cross-cutting nature of this human-made domain,” Langevin said.
Lawmakers have introduced versions of the bill since 2018. The legislation also implements an outstanding recommendation from the Cyberspace Solarium Commission, whose proposal to stand up a Senate-confirmed national cyber director position in the White House became law last year.
Langevin said the national cyber director will assist the State Department in its cyber mission.
“The NCD is responsible for helping to develop and coordinate the implementation of the National Cyber Strategy. This obviously has international components to it. I look at the NCD as a way to help the various departments and agencies stay on the same sheet of music and that hasn’t been the case in the past,” he said.
The bill is also led by House Foreign Affairs Committee Chairman Gregory Meeks (D-N.Y.) and Rep. Mike Gallagher (R-Wis.), another member of the Cyberspace Solarium Commission.
The bill would give the State Department the tools needed to identify, attribute and respond to cyber incidents more quickly. Langevin noted that it can take the U.S. months, if not years, to impose punishments or sanctions, which gives malicious nation-state actions the ability to act with impunity.
“Our adversaries know this, and they take full advantage of our lethargy. We don’t have the luxury of time on our side, unfortunately. Behavior today sets precedent for tomorrow. Irregular activity from our adversaries that deviates from our vision is already being established, and it’s up to us if we are going to lead, or if we are going to be led,” Langevin said.
McCaul and Langevin are also working on mandatory breach notification legislation that would help cyber agencies to respond to breaches more quickly.
State’s cyber ambassador, McCaul said, would have a “complementary” role working with the Cybersecurity and Infrastructure Security Agency to respond to cyber threat intelligence received from the private sector.
“CISA works very well to get this threat information, and with our mandatory breach notification law, we’ll be getting more of this threat information that we can actually scrub to protect companies and their duty to their fiduciary stockholders. They would, in turn, share what the threats are, what the attribution is, and then the ambassador can make the decisions on presidential recommendations for things like sanctions,” McCaul said.
Momentum on the Cyber Diplomacy Act comes just a few weeks after President Joe Biden released his fiscal 2022 budget plan for discretionary spending. That plan would give the State Department a 10% increase to its current budget.
That level of spending falls short of a plan Sens. Chris Murphy (D-Del.), Chris Van Hollen (D-Md.) and Reps. David Cicilline (D-R.I.) and Ami Bera (D-Calif.) proposed that would increase spending at State and the U.S. Agency for International Development by 20%.
Murphy said the department needs the funding to have the diplomatic muscle needed to set international norms in emerging technology.
Langevin said the Cyber Diplomacy Act would ensure that diplomats will no longer feel “outmatched and outnumbered at every turn.”
“The sooner we do this, the better and coordination is not easy. It takes time to develop relationships and to build muscle memory, about what to do in the wake of an incident. We don’t yet have that muscle memory built-in, we’re still kind of doing it on the fly,” Langevin said.