Every summer in recent decades, the House and the Senate intelligence committees articulate their priorities for the intelligence community for the coming fiscal year in the annual Intelligence Authorization Act. As each chamber marks up its version of the bill, outsiders can review the unclassified portion of the draft legislation to discern each body’s priorities before the bill goes to conference. In the House and Senate intelligence authorization bills for fiscal year 2019, we see three areas that each committee takes on: foreign interference in U.S. elections, the intelligence community’s workforce, and cybersecurity policy more broadly.
First, the House and Senate authorization bills each include important provisions regarding election security and Russian meddling during the 2016 election cycle, and Russia’s continued risk to election security and cybersecurity. But mirroring the Senate intelligence committee’s more serious investigation into Russian interference than that of its House counterpart, the Senate bill demonstrates a more sustained and serious focus on the Russian threat to the U.S. electoral system.
The House bill
The House bill includes four provisions directly related to Russia and election security. First, Section 1502 orders the director of national intelligence to prepare a report examining recent and ongoing Russian influence campaigns targeting foreign elections, including the United States. The bills specifically asks that the report analyze the strategy and tactics Russia has employed in influence campaigns, the intelligence community’s efforts to assist foreign governments in protecting against Russian influence campaigns, and the effectiveness of foreign defenses.
Second, Section 1503 orders the director of national intelligence to publish regular public advisory reports on foreign counterintelligence and cybersecurity threats to federal election campaigns.
Third, Section 1505 requires the intelligence community to produce an assessment of Russian global threat financing—the various means through which Russia seeks to launder funds and finance illicit activities. That assessment, according to the bill, should study trends in threat financing, intelligence community’s prior engagement with allies to combat Russian threat financing, and the intelligence community’s potential vulnerabilities in combating threat financing.
And fourth, Section 2503 of the House bill requires the director of national intelligence, FBI director, and undersecretary of homeland security for intelligence and analysis to notify congressional intelligence, armed services, and homeland security committees within 14 days of any major cyber intrusion targets a federal election.
The Senate bill
Compared to the House bill, the Senate bill includes more election-security provisions and is more proactive in its provisions addressing the threat posed by Russia. First, Section 501 of the Senate bill directs the Department of Homeland Security’s intelligence undersecretary to prepare a report on attempted and successful cyber attacks on U.S. election infrastructure by foreign governments, in connection with the 2016 election. Second, Section 502 requires the director of national intelligence to submit a review of the intelligence community’s posture against Russian efforts to interfere with the 2016 U.S. presidential election. Third, Section 503 requires the director of national intelligence, in coordination with the FBI director and the secretaries of defense, homeland security, state and the Treasury, as well as heads of other relevant intelligence agencies, to begin assessments of vulnerabilities of state election systems one year before federally scheduled elections. This provision also requires the director of national intelligence to submit reports 180 days and 90 days before regularly scheduled federal elections. Fourth, Section 504 calls on the DNI, in coordination with the cabinet members listed in Section 503, to develop a strategy for countering Russian cyber threats against U.S. electoral systems and processes. This strategy must include input from state secretaries of state and chief election officials. Fifth, Section 702 requires the intelligence community to submit reports on the intelligence risks of returning diplomatic compounds taken from Russia as a response to Russian meddling during the 2016 presidential election. Sixth, Section 703 requires the director of national intelligence, in coordination with the Treasury Department’s intelligence branch, to submit a report within 60 days assessing Russian threat financing. Seventh, Section 705 requires the secretary of state to ensure that Russia provides notification at least two days in advance of all travel by accredited diplomatic and consular personnel. Eighth, Section 717 amends a provision of the Intelligence Authorization Act for fiscal 2017 to require reporting of a best estimate of known or suspected violations of certain travel requirements by accredited Russian diplomatic and consular personnel.
The Intelligence Community’s Workforce
When it comes to challenges facing the intelligence community’s workforce, the House and Senate authorization bills include similar provisions and language aimed at addressing ongoing difficulties in effective talent acquisition and retention, particularly for technical roles and positions supporting cybersecurity, by authorizing more competitive salaries. Section 2303 of the House bill and Section 303 of the Senate bill both permit the heads of intelligence agencies to increase in the yearly pay cap for science, technology, engineering and math positions that carry out cyber missions. Additionally, both bills authorized the NSA to introduce a special pay scale for its cyber workforce.
In addition to allowing intelligence agencies to offer stronger financial incentives to top talent, the bills advance efforts to interchange between the intelligence community and private technology companies. Section 1506 of the House bill and Section 713 of the Senate bill require the director of national intelligence to submit a report on the viability, benefits, and challenges of creating an exchange program for cybersecurity workers between the intelligence community and private technology companies. In such a program, intelligence community employees with cybersecurity expertise may be voluntarily detailed to an interested private technology company, while, conversely, an employee of a private technology company with cybersecurity expertise would voluntarily be detailed to an interested element of the intelligence community.
Third, on cybersecurity policy issues extending beyond election interference, the House bill includes only one relevant provision: Section 2305, which authorizes permanent enhanced procurement authority to manage supply chain risks.
The Senate bill differs in its more serious and comprehensive treatment of cybersecurity threats. Section 307 requires the intelligence community, when entering intelligence-sharing agreements with other states, to consider whether and to what extent the country’s telecommunications and cybersecurity infrastructure is provided by U.S. adversaries.
Second, Section 308 authorizes the director of national intelligence to provide additional cybersecurity support for intelligence community employees’ personal devices.
Third, in a sharp rebuke of the Trump administration, Section 701 prohibits the federal government from using funds to establish a cybersecurity agreement with the Russian government unless the director of national intelligence submits a report to the congressional intelligence and armed services committees 30 days before to an agreement comes into effect.
Fourth, Section 715 requires the director of national intelligence, in coordination with other agencies, to prepare a report on known attempts by foreign governments to exploit U.S. cybersecurity vulnerabilities in telecommunication networks in order to surveil Americans.
And fifth, Section 734 requires the homeland security secretary to develop and submit a plan to implement bug bounty programs at agencies and department across the U.S. government.
Further, in the Senate bill’s comments section, the director of national intelligence and appropriate intelligence community elements are also directed to “develop an analytic framework that could support the eventual creation and execution of a government-wide cybersecurity and intelligence collection doctrine.” The bill requires this framework to include:
- an assessment of cyber threats to U.S. national security systems and critical infrastructure;
- the intelligence community’s definitions of key cybersecurity concepts;
- requirements for identifying cyber actors targeting U.S. national security interests and informing policy responses;
- the intelligence community’s methodology for assessing the severity of cyber attacks directed against the United States;
- capabilities that the intelligence community might employ to respond to cyber attacks;
- a policy for cybersecurity-related intelligence sharing with government, private sector, and international partners; and
- necessary changes in “IC authorities, governance, technology, resources, and policy to provide more capable and agile cybersecurity.”
In summary, both bills (1) resemble a consensus on cyber workforce issues and cybersecurity threats to elections, (2) differ in their specific reference to/focus on Russia's role in election interference, and (3) demonstrate that the Senate bill resembles a more comprehensive/serious treatment of cybersecurity issues (beyond cybersecurity vulnerabilities to election systems, that is). On cybersecurity issues, as so much of cybersecurity has to do with the personnel assigned to defend, degrade, or otherwise conduct network operations, these cybersecurity and staffing provisions are mutually supportive and important steps forward. While for those that have been following each chamber’s investigation of Russia’s interference in the 2016 election, it will come as no surprise that the House version of this bill is less concerned with investigating, deterring, and otherwise dealing with Russian foreign election meddling. With discussions about cybersecurity and information operations these days getting tied up in partisan, jurisdictional, and public-private disputes, it is nevertheless a positive sign that both committees are showing greater sophistication in how they conduct their oversight with regard to cyberspace writ large.