The Senate Homeland Security and Governmental Affairs Committee passed a slew of cybersecurity related legislation Wednesday, including bills that would put new cybersecurity guardrails around government artificial intelligence programs, bolster the federal cybersecurity workforce, implement a number of recommendations from the Cyberspace Solarium Commission on securing critical infrastructure, establish a national cyber exercise program to game out incident response capabilities and codify one of the government’s primary cloud security certification programs.
One of the most significant was the Defense of United States Infrastructure Act, which would implement a number of recommendations from the Cyberspace Solarium Commission.
The legislation would develop a national strategy to protect critical infrastructure from cyber and physical attacks, establish grant programs to increase resiliency of critical infrastructure, give the National Cyber Director new hiring authorities and create a Bureau of Cybersecurity Statistics to track data around incidents and defense.
It would also push through a number of changes at CISA, creating a cloud-based joint information sharing environment focused on malware forensics and threat intelligence, codifying a five-year term for CISA’s director and empowering the agency to classify “systemically important” critical infrastructure to prioritize federal resources.
The Good AI Act, introduced by HSGAC Chair Gary Peters, D-Mich., and ranking Republican Rob Portman, R-Ohio, would compel the director of the Office of Management and Budget to form an “Artificial Intelligence Hygiene Working Group” that would focus on updating federal contracting standards for AI projects and incorporate the latest research on best practices.
The group would be given a specific mandate to align future contracting language with the AI in Government Act, which mandated the creation of an AI Center of Excellence at the General Services Administration and directed OMB to develop guidance to federal agencies on current and future projects.
“Artificial intelligence applications that can be used to strengthen our national security collect a considerable amount of sensitive data. It’s critical that we protect and secure this data to safeguard the rights and privacy of the American people,” said Peters in a statement. “This bipartisan bill will ensure that federal contractors cannot misuse the information collected by these technologies and that artificial intelligence is used appropriately for the benefit of our nation.”
Another bill, the Federal Cybersecurity Workforce Expansion Act introduced by Sens. Maggie Hassan, D-N.H, and John Cornyn, R-Texas, would create a new apprenticeship program at the Cybersecurity and Infrastructure Security Agency, as well as a pilot cyber training program for military veterans transitioning to civilian life. The apprenticeship program must focus on cybersecurity competencies deemed relevant by CISA and provide a direct pathway to eventual employment at the agency, a grant award or a private sector role that the CISA director has certified is contributing to national cybersecurity in the United States.
If passed, it would represent another tool for CISA to bolster its ranks with badly needed cybersecurity talent. The agency recently partnered with Girls Who Code to develop career pathways for young Black female professionals and a new hiring system that allows them to sidestep the laborious federal hiring process and pay higher salaries to cybersecurity job candidates is set to go live Nov. 15.
During a committee markup of the bill Wednesday, an amendment proposed by Sen. James Lankford, R-Okla., to change federal law governing to allow agencies to use direct hiring authorities from when there is a shortage of “highly qualified” candidates was rejected on a party-line vote. Lankford said the change was needed to allow agencies more flexibility in the hiring process.
“Obviously there may be candidates available but any of you who work in the IT area … there’s a difference between candidates and highly qualified candidates,” said Lankford.
Both Peters and Hassan voted against the measure. Hassan said she was concerned that the change in language could create unintended consequences, while Peters said it could allow agencies to sidestep normal hiring rules or install political loyalists.
“Although I agree there are circumstances in which agencies should have direct hiring option, this approach needs to be used carefully to protect the merit system protections, fairness in the federal hiring process and an apolitical, professional civil service,” Peters said.