McCaul calls on the Senate to act on cyber bills

House Homeland Security Committee Chairman Michael McCaul (R-Texas) urged the Senate to take up two pieces of cyber-related legislation -- one to restore the State Department's cyber office and another to reorganize and rename the Department of Homeland Security's National Protection and Programs Directorate cyber division.

Both bills -- The Cyber Diplomacy Act and The Cybersecurity and Infrastructure Security Agency Act -- passed the House in 2017 but have yet to be scheduled for votes in the Senate. McCaul, who is retiring from Congress at the end of 2018, cited both as examples of important cyber legislation that should be passed now.

"It's kind of demoralizing to a department when Congress has not officially authorized or recognized it in law," McCaul said.

Another issue that worries the chairman is the threat from laptop bombs following reports in 2017 that groups like ISIS were testing ways to hide explosives in computer devices that can bypass current scanning technologies. The Transportation and Security Administration is experimenting with a technology that is more known for its medical than security applications: computed tomography. More commonly known as CT scanning, it provides 3-D imaging of electronic and other devices, as opposed to the two-dimensional images provided by a standard X-ray.

McCaul supports greatly expanding the use of these CT scans at airports and took aim at the Office of Management and Budget, which he said cut TSA's $150 million requested budget for the program in half while putting off deployment strategies until at least 2019. To McCaul, that's too little too late, and he argued both the threat and the technology to address it are real enough to warrant action now.

"We need to deploy these machines as rapidly as possible. They exist currently, it's not some futuristic thing," McCaul said. "I know everybody on the committee sees this as a 'not on our watch' type of thing."

Republican committee members on a panel following McCaul's speech touched on security concerns around internet-of-things devices and what role the federal government should play in securing them. Rep. Will Hurd (R-Texas) pointed out that emerging technologies are constantly changing and indicated he would rather the government encourage good cybersecurity standards for emerging technologies through agencies, like the National Institute of Standards and Technology, than by imposing regulations.

"I'm always concerned that if Congress passes laws, as soon as that ink is dry, that thing that we passed is obsolete," Hurd said. "So, anything Congress and the federal government should be doing, it should be based on outcomes, not individual technologies or pieces."

Democrats in the House and Senate have offered or co-sponsored more robust alternatives that would directly use the government's regulatory powers to tighten IoT security standards for government contractors and create a new cybersecurity labeling system for IoT devices.

Rep. Mike Gallagher (R-Wis.) suggested that simply doing an inventory of government IoT devices would be a useful starting point to further discussions around new legislation.

"The federal government needs to understand what's on its network," Gallagher said. "Let's start there, let's figure that one out, then go."