House passes bill to formalize NTIA’s cyber role following Salt Typhoon attacks

As cyber officials work to contain Salt Typhoon inside U.S. telecom networks, the House on Monday passed a bill that would officially designate one federal agency to lead efforts in protecting the nation’s digital infrastructure from such threats.

The National Telecommunications and Information Administration Organization Act cleared the House via voice vote and is now teed up for Senate consideration — the same position the bill found itself in last year before stalling out in the upper chamber. 

The legislation from Reps. Jay Obernolte, R-Calif., and Jennifer McClellan, D-Va., would rebrand the Office of Policy Analysis and Development as the Office of Policy Development and Cybersecurity, and codify the NTIA’s responsibilities to lead policy initiatives and coordinate with other agencies on cyber practices for the country’s communications networks.

“NTIA is already central to advancing market-driven strategies that foster innovation, expand broadband deployment and promote a competitive digital economy,” McClellan said. “But this legislation ensures that NTIA is equally empowered to help safeguard that digital future, particularly as the cybersecurity threats we face grow more complex and more dangerous by the day.”

The Salt Typhoon attack spree last year on major American telecommunications companies, she added, was a “sobering reminder” of the vulnerabilities that live in U.S. infrastructure and “how deeply” the fallout of cyberattacks can be felt in multiple sectors, ranging from health care to national security. 

The top Democrat on the Senate Intelligence Committee last year called the far-reaching breach by the Chinese hacking group “the worst telecom hack in our nation’s history.” In interviews with CyberScoop, a half-dozen sources pointed fingers at a lack of coordination and miscommunication between federal agencies and the telecom industry.

The bill calls on NTIA to take the lead on coordinating “transparent, consensus-based, multistakeholder processes” for the development and implementation of cybersecurity and privacy policies in communications networks. Public-private partnerships would be fostered to encourage “collaboration between government agencies and stakeholders,” said Rep. Bob Latta, R-Ohio, chairman of the House Energy & Commerce Committee’s energy subcommittee.

There is also a callout in the legislation for increased collaboration between security researchers, software developers and telecoms. Collaboration will be paramount as telecoms attempt to purge the vestiges of Salt Typhoon from their networks, a feat that experts told CyberScoop will be exceedingly difficult if not impossible. 

Additionally, the legislation seeks NTIA-led policies on security resilience and the pursuit of accelerated “innovation and commercialization with respect to advances in technological understanding of communications technologies,” per the bill text.

“As more and more of Americans’ lives move into a digital format, it’s leaving the information of Americans more and more vulnerable to cyberattacks,” Obernolte said. “That’s why it is critical that we establish cybersecurity protocols and capabilities to counter the threats, not just to foreign actors, but of cybercriminals and transnational criminal organizations who attempt to breach our data security and access the data of Americans.”