Congress losing a heavy hitter on cybersecurity

After nearly 22 years, Rep. Jim Langevin, D-R.I., will not be a candidate for federal elected office in November. His absence could make it even harder for Congress to pass meaningful cybersecurity legislation.  

“I’m so proud of all we’ve accomplished together. I’ve led the efforts in Congress to strengthen our cybersecurity and prepare our nation for the threats of the 21st century,” Langevin said in a video announcement on Twitter Tuesday. “I’ve not come to this decision lightly, but it’s time, time for me to chart a new course which I hope will keep me closer to home and allow me to spend more time with family and friends.”

It would be difficult to debate the outsized role Langevin has played in shaping cybersecurity policy. In 2008, he co-founded the House Cybersecurity Caucus with a Republican and has maintained close relationships bridging the political divide. 

“Thanks for your strong leadership on cyber for so many years and your willingness to work with your colleagues on both sides of the aisle to address America's challenges,” said Suzanne Spaulding, a senior advisor to the Center for Strategic and International Studies who formerly led the office that would become the Cybersecurity and Infrastructure Security Agency. 

Spaulding and Langevin worked together as members of the Cyberspace Solarium Commission, which succeeded in turning a host of legislative proposals into law through the annual National Defense Authorization Act. Langevin’s position as chair of the House Armed Services Committee’s panel on cybersecurity was instrumental. 

Among the commission’s proudest accomplishments is the creation of the Office of the National Cyber Director, where Langevin’s long-time legislative director Nick Leiserson is now reportedly serving as deputy chief of staff. 

Langevin also successfully pushed to get more authorities to the Cybersecurity and Infrastructure Security Agency, which now has the power to issue subpoenas to get information from internet service providers so potential victims can be notified of cyber threats. Before an accident that left him paralyzed when he was 16, he dreamed of becoming a police officer and believes in the mantra, “if you see something, say something.” 

In an interview with Nextgov about the importance of agencies having vulnerability disclosure policies, he said he really caught the cybersecurity bug after visiting a hacker conference in Las Vegas in 2017 and seeing security researchers in action. Agencies are now required to implement such policies under directives from CISA and the Office of Management and Budget. 

But there’s a lot left to do on the Solarium Commission’s agenda. Chief on the list is passing a law to require private sector entities to report cybersecurity incidents to CISA. Lawmakers failed to include incident reporting legislation in this year’s NDAA. Langevin’s passion project of establishing a joint collaborative environment for industry and government to share information in real time was also excluded.

Cybersecurity-focused lawmakers were hoping to pass incident reporting legislation to mark the anniversary of the SolarWinds hack, which compromised nine federal agencies and about 100 U.S. companies. 

In an assessment of fallout from the hack, the Government Accountability Office on Friday noted the inability of several agencies to track activity on their networks due to insufficient logging, something Rep. Carolyn Maloney, D-N.Y., highlighted in expressing alarm over agencies’ exposure to the adversary. Langevin challenged Microsoft on the issue, questioning their profit motive while suggesting logging should be standard for customers as a cybersecurity feature. 

“Thank you for your consistent and strong leadership on cybersecurity—your absence leaves a large hole in Congress but you have succeeded in raising the profile of the issue with your peers,” said Chris Painter, president of the Global Forum on Cyber Expertise and former top cybersecurity diplomat at the State Department.

Rep. John Katko, R-N.Y., ranking member of the House Homeland Security Committee who worked often with Langevin also announced his retirement on Friday.