Trump administration officials are growing increasingly frustrated over stalled legislation concerning a key office responsible for combating cyber threats.
The Senate has failed to pass legislation that would rename a little-recognized office at the Department of Homeland Security (DHS), which has become a leading player in the U.S. government’s efforts to protect elections from Russian interference.
The bill in question, the product of a years-long effort by House Homeland Security Chairman Michael McCaul (R-Texas), easily passed the lower chamber in December.
But Sen. Ron Johnson (R-Wisc.), who chairs the Senate Homeland Security Committee, has so far been unable to shepherd it across the finish line in the upper chamber. The lack of progress has left Homeland Security officials and others on Capitol Hill baffled and frustrated.
“I think it’s fair to say that there is some amount of frustration in the DHS team on the ability of the Senate to move important legislation to give DHS needed changes to its organizational structure in the cybersecurity space,” a source close to the administration told The Hill.
A Homeland Security spokesman declined to comment for this article.
The bill is straightforward, and not viewed as particularly contentious. The idea is to give the Homeland Security office responsible for securing federal networks and protecting U.S. critical infrastructure from cyber and physical sabotage – now called the National Protection and Programs Directorate, or NPPD – a more targeted name, and to restructure it into a full-fledged agency.
Under the bill, the office would be rebranded the Cybersecurity and Infrastructure Security Agency – which proponents say would better communicate its mission to key industries and help them recruit and retain high-quality personnel.
Johnson’s committee approved the provision in March as part of a broader package that would reauthorize the Department of Homeland Security.
But, more than five months later, the provision has not reached the Senate floor for a vote, triggering worries it might not be passed before the legislative clock runs out.
Meanwhile, the lack of developments has attracted attention at the highest levels of the White House. Speaking at a cybersecurity summit in New York last month, Vice President Pence demanded the Senate pass the bill.
“The time has come for the Cybersecurity and Infrastructure Security Agency to commence,” Pence said on July 31. “This agency will bring together the resources of our national government to focus on cybersecurity. And it’s an idea whose time has come.”
Johnson has advocated for the tenets of the bill, describing it as a “key reorganization” vital to Homeland Security’s cyber mission in March.
But sources familiar with the legislative negotiations said Johnson has been unwilling to separate the standalone legislation from the broader Homeland Security reauthorization bill, making it more difficult to pass. When asked to dispute that characterization, a spokesman for Johnson said he “has led the effort in the Senate to reorganize DHS’s cyber division as part of a larger effort to reauthorize DHS” and “is working with his colleagues to advance his bipartisan legislation through the full Senate.”
The reauthorization bill could become more controversial given hot-button issues like immigration. It has also provoked objections from other committees.
Senators nearly hitched the reauthorization bill to must-pass omnibus spending legislation in late March, but were unsuccessful in doing so in the eleventh hour.
After the failed effort, Johnson publicly fumed that “turf wars” with the Senate Intelligence Committee had prevented the name change from making it into the omnibus. However, sources say lawmakers on the Senate Intelligence Committee have raised issues with the broader reauthorization bill — but not the specific provision that would rename the cyber office. It is unclear if any other committees have expressed grievances with the cyber provision. Johnson also tried, unsuccessfully, to attach the reauthorization package to annual defense policy legislation approved by the Senate in August.
When reached for comment on the appetite for the bill in the Senate, Leader Mitch McConnell’s (R-Ky.) office directed The Hill to Johnson’s committee.
Johnson acknowledged Wednesday that it might not be possible to get the legislation passed as part of the larger reauthorization bill. He also said he met with Chris Krebs, who heads NPPD, earlier Wednesday on election security and is “sympathetic” to the Homeland Security unit’s efforts.
“That was certainly what we were hoping is to get the whole reauthorization we included in that package. I just met with Chris Krebs today,” Johnson told The Hill when asked about his engagement with Homeland Security on the bill.
“We had a secure briefing on election security. It is something I am sympathetic with. We are going to figure out how we can get it all accomplished. I’d love to do it as the entire DHS authorization. I’m not sure that’s going to be possible,” he said.
It’s not just administration officials who are growing increasingly impatient — people who work closely with the committees of jurisdiction are also hearing frustrations about the lack of action.
“I think part of the frustration is obviously that it hasn’t been moved, and that there isn’t real clarity of why it isn’t moving,” said Suzanne Spaulding, an Obama-era Homeland Security official who led NPPD. “That is frustrating.”
When contacted, a spokesman for McCaul pointed to a statement he made last week calling on the Senate to act “quickly” on the legislation, in addition to other bills passed by his committee.
“With each passing day, the cyber threats facing our homeland continue to grow,” McCaul said.
NPPD has seen its responsibilities rapidly expand since it was stood up at Homeland Security a decade ago. The office regularly engages with operators of critical infrastructure – most of which is owned by the private sector – to protect the U.S. electric grid, banks, water systems and other critical assets from digital and physical attacks.
The cyber wing has been in the news more recently for taking the lead on helping state and local election officials protect their digital voting systems from cyberattacks, following Russian interference in the 2016 presidential election.
Advocates see the renaming and restructuring of NPPD as an easy win for Republicans, especially as the administration continues to get hammered for what critics describe as a failure to take meaningful action on election cybersecurity.
“I think moving this legislation is a really important step forward in our cybersecurity capability and competence, and ability to work with the private sector and state and local jurisdictions,” Spaulding said.
“In that way, I think it would indeed not just symbolically send a message about the importance of cybersecurity and that they have not taken their eye off that ball, but would also be important substantively.”
Proponents say the name change, while not vital to the functioning of the cyber office, would be a critical step at a time when concerns are growing over the potential for cyberattacks to have catastrophic effects on U.S. critical services.
“DHS is right that there is an element of rebranding with NPPD,” said Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce, which late last month led a group of trade associations urging the Senate to pass the bill.
“They want to convey what the organization does and with whom and what entities,” Eggers said. “There is an effort hear to deepen public private efforts to protect cyberspace.”
Stakeholders remain optimistic that the bill will eventually be passed despite the hang-ups, given the support for it within the administration, the Republican-led Congress, and among industry.
“In getting any kind of bill drafted and moved through the legislative process, there are going to be differing opinions, but I think at the end of the day they get reconciled,” said Eggers. “I think friction, if you will, is a good thing, and I think that leads to better legislation.”
Still, the Senate has limited legislative days until the end of the 2018 fiscal year, and there is also the risk that Republicans could lose the majority in either chamber in the November midterm elections – potentially complicating the legislation’s path forward in a new Congress.
Some want to see the legislation passed before the midterms, when there will be substantial attention on the cyber office’s work in helping to secure state election infrastructure.
“Sooner rather than later, I think, is our mantra,” said Eggers.