The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

House, Senate changes could slow legislative momentum for cybersecurity

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! The video gamer in me finds all the partially empty, green “percent estimated vote” bars on TV to be stressful, as if Election Day isn’t stressful enough. I need those bars to be full. At least drink a potion or try to find a power-up.

Below: Cyber officials don’t see significant Election Day cyberthreats, and election deniers win major midterm races. First:

The remade legislative map for cybersecurity

Election Day on Tuesday has left command of Congress up in the air.

But we can say this much: bipartisan attention to cybersecurity could drop off in the next congressional session regardless of which party controls the House and Senate when all the votes are tallied.

The GOP leaders of the House and Senate homeland security panels, Sen. Rob Portman (R-Ohio) and Rep. John Katko (R-N.Y.), have earned reputations as among the more moderate members in their chambers and for working with Democrats to pass cybersecurity legislation. Both are retiring, and it’s not clear if the cybersecurity policy momentum will continue.

Cybersecurity is also losing another key lawmaker in Congress with the retirement of Rep. Jim Langevin (D-R.I.), a bipartisan dealmaker with longtime cyber policymaking expertise who helped some of the bigger cyber measures become law in recent years. Langevin has also helmed the cybersecurity subcommittee of the House Armed Services Committee.

Langevin’s subcommittee and the House and Senate homeland security panels have been at the center of most of the major cyber legislation in recent years.

“It’s definitely going to hurt our proactive public policy as it relates to cyber,” Tom Kellermann, who served on an influential cybersecurity commission with Langevin and now works as senior vice president for Contrast Security, told me. “All three of those representatives and senators have been leaders in cyber. … They really see cyber as a national security and economic imperative, and they treated it in a bipartisan fashion — what might be the only bipartisan issue on the Hill.”

Departure fallout

Both Langevin’s perch and the Homeland Security panels have played a big role in advancing meaningful cybersecurity legislation of late. “The Defense Authorization Act has really been the steroids for American cybersecurity over the past few years,” Kellerman said.

In order to get some of those cybersecurity provisions into the annual defense bill, leaders of the Cyberspace Solarium Commission had to get 180 clearances.

“I think it's important to recognize how pivotal our colleague Jim Langevin was in doing that,” Rep. Mike Gallagher (R-Wis.) told me in September. Because of Langevin’s leadership on the House panel and “his indefatigable efforts in this space, we were able to get a lot passed,” Gallagher said. “And I don't think it would have been possible without his help.”

The Homeland Security committees, meanwhile, played a key role in advancing one of the biggest cybersecurity bills Congress has passed yet. That law established requirements for critical infrastructure owners to report major attacks and ransomware payments to the federal government.

House and Senate Homeland GOP candidates

People tracking the issue inside and outside Congress who spoke on the condition of anonymity think that either Rand Paul (R-Ky.) or James Lankford (R-Okla.) will take over for Portman on the Senate Homeland Security and Governmental Affairs Committee. (A cyber-aside: Lankford defeated a cybersecurity pro, Democrat Madison Horn, in the midterms.) Neither Paul’s nor Lankford’s office responded to an offer to comment on this story.

  • Ron Johnson (Wis.) is the next-most senior GOP senator behind Portman now. Johnson was top Republican on the committee from 2015 to 2021. His race against Democrat Mandela Barnes was too close to call as of this morning.

Paul could instead choose to take the top Republican spot on the Health, Education, Labor and Pensions Committee. But his track record of working on cybersecurity legislation in the past is thin, and many expect that he’d focus on investigating the Biden administration on other matters if he takes the Homeland spot.

Lankford has taken more of an interest in cyber and has demonstrated a history of working with Democrats on it, too.

  • Most prominently, he co-sponsored major election security legislation with Sen. Amy Klobuchar (D-Minn.) that got to the precipice of Senate passage before running into opposition from the Trump White House and some key GOP senators.

Among the leading contenders to replace Katko as the top Republican member on the House Homeland Security Committee are Dan Crenshaw (Tex.) and Mark Green (Tenn.).

Crenshaw has “unique experience” in cybersecurity among other prospective candidates for top GOP member of the Homeland Security Committee and would make it a “top priority,” Kara Zupkus, a spokesperson for Crenshaw, told me.

  • “Most don’t realize that after Rep. Crenshaw was injured, he stayed with the SEAL Teams but focused on intelligence, which included setting up offensive and defensive cyber operations,” Zupkus said. “This experience enables Rep. Crenshaw to better understand the threats we face and the vulnerabilities those who wish to do us harm look for.”
  • According to his office, Crenshaw would prioritize several cyber issues if he takes the top Republican spot: Cybersecurity and Infrastructure Security Agency mobile training teams and public education programs for the private sector; oversight of CISA’s ability to protect government networks; CISA coordination with other agencies and industry; and pursuing Katko’s long-term plan for CISA.

Cybersecurity would “continue to be a top focus” for Green if he served as top GOP member of the Homeland Security panel, according to spokesperson Rachel del Guidice.

Other potential candidates include Michael Guest (Miss.), Clay Higgins (La.), Dan Bishop (N.C.) and Scott Perry (Pa.). Whoever’s in charge, they’d also probably scrutinize Homeland Security Department efforts to counter what the department labels as disinformation.

House and Senate control

Katko’s replacement could have his time consumed by subjects other than cybersecurity.

Should the GOP take control of the House, as appears likely, Rep. Kevin McCarthy (R-Calif.), who is expected to become House speaker, has said border security will be a caucus priority. The Homeland Security panel would surely be key for that. A push to impeach DHS Secretary Alejandro Mayorkas, should it emerge, could also consume much of the committee’s time.

Should Democrats lose their grip on the House and Senate, the Biden administration would find less support for its plans to seek additional regulatory authority on cybersecurity.

“If the Republicans take control of Congress, there will be no regulation,” Kellerman said.

CISA’s budget has grown significantly since its inception. It got $1.7 billion in its first year in fiscal 2018, and is on course for more than $2.9 billion in fiscal 2023. Cyber spending has increased elsewhere, too. Republicans in charge of either chamber might want to take a closer look at that.

“It’s fair to say that when it comes to cybersecurity, you have seen both authorities and budgets of agencies handling cybersecurity grow over the last several years,” Andrew Howell, a partner at the lobbying firm Monument Policy who has tech clients, told me. “Assuming Republicans take the House, they will certainly conduct rigorous oversight from both the appropriations and authorization perspective. If Republicans also take the Senate, expect that to happen there, too.”

  • “This will place a premium on agencies being able to effectively tell their story on how their cybersecurity spending has measurably improved their ability to manage cybersecurity risk,” Howell said.

The keys

Despite hiccups, no major cyber incidents on Election Day

Election officials in areas like Maricopa County, Ariz., worked to battle misinformation on Tuesday, my colleagues Isaac Stanley-Becker and Drew Harwell report. Meanwhile, officials at the CISA told reporters that many of the cyberthreats that election officers faced were low-level website disruptions, and that officials were able to bring websites online.

A senior CISA official said the agency was aware that potential distributed denial-of-service attacks — in which a flood of malicious internet traffic overwhelms a website — affected some websites belonging to state election offices and political campaigns. One such DDoS attack knocked down the Mississippi secretary of state’s office, for example. The websites were usually quickly restored, an official said.

No election deniers have won secretary of state races – yet

Vote counts to date left uncertain whether any prominent election-denying candidates for secretary of state, such as Arizona’s Mark Finchem or Michigan’s Kristina Karamo, won. That’s a key position; in some states, it’s the top election official.

But plenty of election deniers have won other races. As of this morning 164 people who denied the results of the 2020 election won their midterm races, Adrian Blanco, Daniel Wolfe and Amy Gardner report. The races span elections for House, Senate and key statewide offices.

“Candidates who have challenged or refused to accept President Biden’s victory — 51 percent of the 569 analyzed by The Washington Post — are running in every region of the country and in nearly every state,” according to the story.

U.S. government again sanctions Tornado Cash

The Treasury Department said in a statement that Tornado Cash was sanctioned for “enabling malicious cyber activities” that ultimately supported North Korea’s weapons of mass destruction program. The reissued sanctions come exactly three months after the U.S. government first sanctioned the cryptocurrency service. At the time, U.S. authorities said Tornado Cash had been used to launder $7 billion in cryptocurrency, including hundreds of millions of dollars worth of cryptocurrency stolen by North Korean hackers.

Cyber insecurity

Nigerian fraudster Hushpuppi sentenced to 11 years in U.S. prison (Victoria Bisset)

Global cyberspace

Cyber police hacked beyond court order Case 3000 (Jerusalem Post)


  • Doreen Bogdan-Martin, the newly elected secretary general of the International Telecommunication Union, and National Archives and Records Administration innovation chief Pamela Wright speak at an American University event Friday at 8:30 a.m.

Secure log off

Thanks for reading. See you tomorrow.