Impact of GOP Win on Cyber LawmakingA Look at Sen. Ron Johnson's Cybersecurity Credentials
The tone and complexion of the Senate committee with government IT security oversight is about to change. With the Republicans winning a majority of United States Senate seats in the Nov. 4 election (see Breaking Congress' Cyber Legislation Logjam), the GOP will assume the chairmanships of all of Senate panels, including the Homeland Security and Governmental Affairs Committee.
HSGAC, as the committee with government IT security oversight is known, has been chaired for the last two years by Sen. Tom Carper, the jovial Delaware Democrat who has championed legislation to reform the Federal Information Security Management Act, the law that governs government IT security. When the 114th Congress convenes in early January, Carper likely will remain on HSGAC as its ranking member, the title given to the most senior committee member from the minority party.
A strong opponent to government regulation of business, Johnson's record on cybersecurity matters is relatively thin.
Often, when control of the Senate switches party, the ranking member of a committee in the old Congress becomes its chairman in the new Congress. But that won't happen at HSGAC.
The current ranking member, Oklahoma Republican Tom Coburn, is retiring, and the next two Republican senators with the most seniority on the committee - Arizona's John McCain and Wyoming's Mike Enzi - are likely to assume the chairmanships of the Armed Services Committee and Budget Committee, respectively. That puts Wisconsin Republican Ron Johnson next in line for the Homeland Security committee chairmanship after only four years in Congress.
A final decision on which senators will lead which committees won't be made until after GOP senators meet later this year, though not guaranteed, congressional observers say Johnson will likely be tapped for the HSGAC chairmanship.
An Untested Leader
With less than a full term in Congress, Johnson is untested as a political leader on Capitol Hill, but the 59-year-old, first-term senator has extensive experience as a business leader. He was serving as chief executive officer of PACUR, a polyester and plastics manufacturer in Oshkosh, Wis., when Wisconsin voters sent him to Washington.
He's a quintessential 21st century Republican. His political philosophy fits neatly into contemporary conservative Republicanism, opposing abortion rights, gun control and government spending, while favoring fewer regulations and lower taxes. Johnson isn't afraid of confrontation, as shown in a heated exchange he had with then-Secretary of State Hillary Clinton during a Foreign Affairs Committee hearing over the attacks in 2012 on the U.S. mission in Benghazi, Libya, in which three American diplomats died.
Although Johnson has been a strong opponent to government regulation of business, his record on cybersecurity matters is relatively thin. Last year, Johnson sponsored the Cyber Economic Espionage Accountability Act, legislation languishing in the Judiciary Committee aimed at protecting American businesses' intellectual property by curtailing cyber-spying by China.
In 2012, he co-wrote an article published in Politico with Sen. Saxby Chambliss, R-Ga., opposing the Cybersecurity Act of 2012, a bill backed mostly by Democrats and the Obama administration, which would have promoted IT security best practices that businesses could voluntarily adopt.
Citing business groups such as the U.S. Chamber of Commerce and the Internet Security Alliance as bill opponents, the senators wrote:
"They are raising legitimate concerns that the 'voluntary' framework offered to industry is overly burdensome and prescriptive. It could quickly turn into a mandatory regulatory scheme. Increased bureaucracy and uncertain liability protections would actually slow the sharing of threat information between business and government. Resources better spent on innovation and deterrence would be diverted to satisfy government notions of compliance."
That bill never came up for a vote, as its supporters failed to quash a filibuster (see Senate, Again, Fails to Halt Filibuster).
To understand lawmakers' thinking on a particular issue, parsing questions they ask witnesses testifying at congressional hearings helps.
In 2013, during a Senate Commerce Committee hearing on the cybersecurity partnerships between business and government, Johnson posed a series of questions about Obama administration cybersecurity policies to government witnesses.
In a written question directed to Gregory Wilshusen, the Government Accountability Office information security issues director, Johnson pointed out what he perceived as weaknesses in the Obama administration's approach to cybersecurity. Johnson wrote:
"GAO found that federal cyber strategies lack clear goals, performance measures, defined costs and resources, established roles and responsibilities, and do not coordinate with other national strategies. This failure to coordinate strategies raises concerns over how effective the administration can be in implementing the new responsibilities laid out in the executive order [that] directs DHS to use a 'risk-based' approach to identify 'critical infrastructure' within 150 days.
"The EO also directs DHS to develop performance measures associated with the cybersecurity framework NIST is charged with developing. If the government is having a hard time developing performance measures for itself, how will this impact the government's ability to develop performance measures for the private security? How involved should industry be in this process?"
Opportunity for Bipartisanship
Johnson's partisan tone begs the question whether he can build bipartisan support on the committee to address cybersecurity challenges the government faces. Vocal partisanship doesn't necessarily mean Johnson can't or won't reach out to Democrats on the panel. Carper takes pride in doing just that in producing three cybersecurity measures in conjunction with Coburn that passed the committee earlier this year (see FISMA Reform Heads to Senate Floor).
But the trust Carper says he built with Coburn took time, a fact about which the outgoing chairman expressed some regret. "If I had been a better chairman of Homeland Security in, maybe, my first year, and had a chance to work even more closely with Dr. Coburn in my first year, I think we would have made more progress," Carper said in an interview with Information Security Media Group (see How Tom Carper Sees FISMA Bill Passing). "I think I've gotten to be a better chairman. I hope I'm better."
With Carper as the ranking member, Johnson has a potential partner to build bipartisan consensus on cybersecurity matters. We'll find out in January what kind of leader Johnson will be.