Stay in the know: Three pieces of cybersecurity-related legislation working their way through Congress

Updated October 17, 2022

Lawmakers are working on cybersecurity-related policy that could help U.S. organizations in the public and private sector and in a range of industries. They’ve been prompted to act by multiple, high-profile cyberattacks—including SolarWinds, Microsoft Exchange, and Colonial Pipeline—as well as hundreds of lower-profile cyberattacks that happen daily. The Cybersecurity & Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, tracks attacks in a running list of alerts.

In the Executive branch, President Biden took action on strengthening the nation’s cyber defenses when he signed The ​​Executive Order on Improving the Nation’s Cybersecurity in May 2021.The executive order “makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”

The Legislative branch has also been active. Here are three pieces of cybersecurity legislation Congress is considering and what they aim to do.

S. 3600  Strengthening American Cybersecurity Act of 2022

The Strengthening American Cybersecurity Act of 2022 is aimed at helping the federal government gather data on potential cyberattacks threatening critical infrastructure firms in the private sector. The act would require these firms to report potential cyber or ransomware attacks to CISA. Impacted industries include chemical, manufacturing, health care, defense contracting, energy, financial, nuclear, and transportation. According to Congress’ website, the legislation includes three parts: “(1) an interagency council to standardize federal reporting of cybersecurity threats, (2) a task force on ransomware attacks, and (3) a pilot program to identify information systems vulnerable to such attacks.”

As of this posting, the bill has passed the Senate but not the House of Representatives.

S. 1260 United States Innovation and Competition Act of 2021

The United States Innovation and Competition Act of 2021 is a potential $250 billion investment into American technologies that compete with China, including semiconductor production, research, development of artificial intelligence, and space exploration. The bill also includes provisions to strengthen the U.S. cybersecurity posture against China. For example, it taps the National Institute of Standards and Technology (NIST) to develop standards and best practices for research institutions to keep sensitive data and research protected from Chinese hackers. The bill also requires the U.S. to impose sanctions on China if it learns of Chinese theft of U.S. trade secrets.

As of this posting, the bill has passed the Senate but not the House of Representatives.

H.R. 4521 America Creating Opportunities for Manufacturing, Pre-Eminence in Technology, and Economic Strength (COMPETES) Act

The COMPETES Act is the House of Representatives’ version of the United States Innovation and Competition Act of 2021 described in #2. In March, 2022, the Senate voted to swap out the text of before sending it back to the House. Although the overall vision remains the same, there are some key differences. For example, the Senate wants the National Science Foundation (NSF) to correct a long-standing funding imbalance on which U.S. research institutions receive funding. However, both versions of the legislation would give Congress the authority to double NSF’s budget. There’s also disagreement on how much support to provide U.S. semiconductor manufacturers.

As of this posting, this bill has not been reconciled between the House and Senate.