In the course of just a few decades, information technology has become an essential component of American life, playing a critical role in nearly every sector of the economy. Consequently, government policy affecting information technology currently emanates from multiple agencies under multiple authorities – often with little or no coordination. The White House’s Cyberspace Policy Review (the Review) wisely recognized that the first priority in improving cybersecurity is to establish a single point of leadership within the federal government and called for the support of Congress in pursuit of this agenda.
Congressional involvement in some form is inevitable, but there is considerable uncertainty as to what Congress needs to do and whether it is capable of taking action once it decides to do so. With an agenda already strained to near the breaking point by legislation to address health care reform, climate change, energy, and financial regulatory reform – as well as the annual appropriations bills – the capacity of Congress to act will depend, in some part, on the necessity of action. For the last eight years, homeland security has dominated the congressional agenda. With the memory of the terrorist attacks of September 11 becoming ever more distant, there may be little appetite for taking on yet another major piece of complex and costly homeland security legislation.
Part I of this article considers the question of necessity. The Homeland Security Act,2 the Federal Information Security Management Act,3 the Communications Act,4 and any number of other statutes provide substantial authorities over federal and nonfederal information infrastructure.5