Patrick D. Gaul is the Executive Director of the National Technology Security Coalition (NTSC), a non-profit, non-partisan, industry-agnostic organization focused on uniting both public and private sector stakeholders around policies that improve national cybersecurity standards and awareness.
OPINION — This year, the Cybersecurity Advisory Committee Act (H.R. 1975) was included in the FY 2021 National Defense Authorization Act (NDAA) (pg 1836 section 1718). With strong bipartisan support in the House and Senate, the NDAA is almost certain to pass. The NDAA states:
The Advisory Committee shall advise, consult with, report to, and make recommendations to the Director [of the Cybersecurity and Infrastructure Security Agency], as appropriate, on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency.
Specifically, the Advisory Committee will comprise “not more than 35 individuals” who are subject matter experts, geographically balanced from around the country, and representative of many industries. This group will provide periodic reports, annual reports, and Congressional notification.
To understand why this is a huge win for national security, the CISO community, and the NTSC (still a relatively young non-profit organization), let’s rewind the clock two years to when this idea originated.
The Creation of the Cybersecurity Advisory Committee Authorization Act of 2019
When the National Protection and Programs Directorate (NPPD) was redesignated as the Cybersecurity and Infrastructure Security Agency (CISA) in October 2018, then-Director Chris Krebs sharpened the agency’s focus and collaborative abilities to better share information, align resources, and partner with the private sector.
Early on, CISA realized its mission needed the input of the private sector and that it wasn’t enough to informally get that input in an ad hoc or administrative fashion. In September 2018, the NTSC drafted the original idea of a CISO Advisory Committee bill that would provide the director of CISA a non-partisan, industry-agnostic advisory committee of no more than 35 cybersecurity subject matter experts who would offer advice and guidance.
Once the idea was drafted, the NTSC approached Representative John Katko (R-NY-24) to become the lead sponsor of the bill. The original bill, H.R. 1975, was introduced on March 28, 2019. On September 25, 2019, the House Committee on Homeland Security advanced H.R. 1975 under the leadership of Homeland Security Committee Chairman Bennie Thompson and Ranking Member Mike Rogers.
H.R. 1975 Gains Groundswell of Bipartisan Support While Cyberspace Solarium Commission Includes Bill’s Language in its Recommendations
After the bill was introduced by Rep. Katko, the NTSC met with the House Homeland Security Chairman Bennie Thompson (D-MS-02), who advised it would only move with strong support from members of the Democratic caucus. As a result, the NTSC went to work to get that support. In total, H.R. 1975 ended up tallying 77 cosponsors (44 Democratic and 33 Republican).
As support for the bill grew, the NTSC took H.R. 1975 to Cyberspace Solarium Commission (CSC) Executive Director Mark Montgomery. The CSC concluded its work and submitted a final report to the U.S. Congress on March 11, 2020. One of the objectives of the Commission was to strengthen CISA. Establishing an advisory committee to support CISA fell in line with that objective.
As a result, the Cyberspace Solarium Commission included our language to establish the advisory committee in its recommendations to Congress. This inclusion gave a significant boost of support and additional legitimacy to H.R. 1975.
Companion Bill S. 4024 Introduced and Language Included in NDAA
To build on our success in the House and with the Cyberspace Solarium Commission, the NTSC next worked with Senator David Perdue (R-GA) for the introduction of a companion bill in the Senate. Senator Purdue gained support from Senator Kyrsten Sinema (D-AZ) to ensure we could gain bipartisan support in the Senate.
- 4024, the Cybersecurity Advisory Committee Authorization Act of 2020. was introduced in the Senate on June 22, 2020. On July 22, 2020, the Senate Committee on Homeland Security and Governmental Affairs advanced S. 4024 under the leadership of Chairman Ron Johnson and Ranking Member Gary Peters.
In addition to the standalone bills introduced in the House and Senate, we secured language about the Cybersecurity Advisory Committee in the FY21 House Homeland Appropriations bill and the FY21 Senate National Defense Authorization Act. This brings us to today as the House and Senate prepare to pass the NDAA and thus likely pass our bill.
The Importance of a Cybersecurity Advisory Committee and Validation of the NTSC’s Mission
Recently, Chris Krebs said at least four nation states are attempting to steal intellectual property related to the coronavirus vaccine. 85 percent of the nation’s critical infrastructure is owned by the private sector. And cyberattacks from varied sophisticated threat actors hit our nation’s companies every day.
What affects the private sector affects national security. The Cybersecurity Advisory Committee will help take the public-private partnership to the next level to assist with CISA’s mission. The message of this partnership is important: The federal government wants to work with companies to protect infrastructure in the name of mutual defense. This CISO advisory committee will help with DHS’s formulation of policy and rulemaking. If the director of CISA has an issue, this diverse committee will provide direct stakeholder feedback and give unbiased recommendations.
For the NTSC, this law gives our constituency a greater voice in this important public-private partnership as CISA reaches out to CISOs and the private sector for guidance. The CISO community is precisely the organization to draw upon when DHS is looking for members. If asked, NTSC board members are prepared to serve on this committee to help better protect the US from cyberattacks.
As a relatively young organization that began in 2016, the NTSC has been validated in its mission by the success of this bill. The journey from idea to passage took two years, which is hyperspeed in Washington, D.C. The inclusion of our bill in the NDAA shows that a thirst exists for more efforts related to strengthening the dialogue between the public and private sector about cybersecurity. Our work has only just begun.
Read more expert national security insight, perspective and analysis in The Cipher Brief