Inside Cybersecurity

October 23, 2021

Daily News

Software group pushes for National Cyber Director, funds for state IT modernization in lame-duck session

By Sara Friedman / November 6, 2020

BSA-The Software Alliance is closely watching the work of a House-Senate conference on a major defense policy bill -- expected to start meeting formally next week -- with a particular focus on including a Cyberspace Solarium Commission proposal to create a National Cyber Director in the final legislation.

The Cyberspace Solarium Commission has been working to get several recommendations from its landmark March report into the fiscal 2021 National Defense Authorization Act. The creation of a National Cyber Director, opposed by the White House, is in the House version of the NDAA. The Senate bill calls for a study on creating the new leadership position.

“We support making sure the United States government is organized in a way that allows it to lead effectively on cybersecurity issues within the United States and around the world,” Tommy Ross, senior director of policy at BSA-The Software Alliance, told Inside Cybersecurity.

Ross said, “The main recommendation for us is the National Cyber Director because we think that kind of function to bring together the interagency is really important. Our hope is that it will be included in the final legislation and we endorsed Rep. [Jim] Langevin’s [D-RI] amendment on the floor” in the House.

However, BSA-The Software Alliance is critical of a Solarium Commission recommendation to create a mandatory cyber incident reporting regime in the NDAA, a provision that Ross said is not “fully ready for passage” and needs more work in coordination with industry.

For incident reporting, Ross said there needs to be a balance in “getting the information out there but also getting the right information out there.” Collecting details for investigations and information gathering shouldn’t get in “the way of active efforts to mitigate a problem,” he said, adding “really quick deadlines for incident reports can be disruptive.”

The U.S. Chamber of Commerce has also urged House-Senate negotiators to exclude a cyber incident-reporting mandate from the final version of the annual defense policy bill, which the business association says would potentially interfere with investigations, expose companies to liability and carry unreasonable compliance costs.

Outside of the NDAA, BSA-The Software Alliance wants to see legislation that will provide funds to state and local governments to help with IT modernization this year.

“Helping state and local governments to modernize their IT and access cloud services takes some of the cybersecurity burden off of state CIOs and their staff,” Ross said, “while also allowing them to access more advanced layered defense capabilities.”

The association is looking to get funds for IT modernization into the next COVID-19 legislative package.

Solarium Commission co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI), and commission member Langevin introduced legislation in August to create grant programs for state and local governments modernize their IT systems. A bipartisan roster of cosponsors for the IT bill includes Reps. Cedric Richmond (D-LA), Will Hurd (R-TX), Dutch Ruppersberger (D-MD), Michael McCaul (R-TX), Max Rose (D-NY), and Don Bacon (R-NE).

The Solarium Commission in early June released a white paper with specific “lessons” and policy asks related to the pandemic, including a sustained source of funding for state IT improvements. -- Sara Friedman (sfriedman@iwpnews.com)