The National Telecommunications and Information Administration is the subject of a slew of new bipartisan bills that would increase the agency’s role in securing U.S. networks but lacks leadership, according to testimony before a House Energy and Commerce Committee panel.
A memo the committee released in advance of a hearing Wednesday in its subcommittee on communications and technology describes nine pieces of legislation members have recently introduced. Six of them, witnesses noted, would involve the NTIA, which is helmed by an acting administrator—Evelyn Remaley.
“The members of this subcommittee must ensure that NTIA has the capacity to execute on these additional functions,” said Dileep Srihari, senior policy counsel for Access Partnership, a technology consultancy. “The relevant staffing within NTIA is actually quite small, although the president is currently proposing some increase. The administrator position was vacant during the previous administration for far too long. You should urge the president to fill this vacancy. Ideally, Congress should hear from NTIA itself on these issues.”
Srihari testified before the subcommittee along with Dean Brenner, senior vice president of spectrum strategy and tech policy at Qualcomm Incorporated, Jason Boswell, head of security and network product solutions for Ericsson North America and Clete Johnson, a senior fellow with the strategic technologies program at the Center for Strategic and International Studies.
Among the bills discussed at the hearing one—The NTIA Policy and Cybersecurity Coordination Act—would rename what is currently NTIA’s Office of Policy Analysis and Development. It would become the Office of Policy Development and Cybersecurity and “be assigned functions to coordinate and develop policy regarding the cybersecurity of communications networks,” according to the memo.
Brennan suggested lawmakers wait for a permanent administrator to be in place before enacting it.
“Changing the focus of an office and turning NTIA into having cyber as one of its core functions, that’s a very significant change,” he said. “It’s going to require, you know, a permanent administrator to roll it out and it would be good to get that person’s views I think before legislation like that is signed into law.”
Other bills would require the agency to report on mobile service providers’ implementation of cybersecurity best practices, develop and conduct a cybersecurity literacy campaign to educate U.S individuals and businesses about common cybersecurity risks and best practices, and provide outreach and technical assistance to small communications network providers on open radio access networks.
Srihari said most of the new responsibilities would likely fall under the NTIA’s domestic and international programs division which currently has about 30 employees, although he noted President Joe Biden’s proposal of raising that to just over 50.
“If this subcommittee rightfully is going to bolster NTIA’s functions here I think you need to be cheerleaders for the agency in very modest budget increases to just help them do these things,” he said. “Right now I am working with them on a number of different issues and I see the same staffers’ email being CCed on three very different topics because they just don’t have the people right now, that’s the reality right now.”
NTIA is not a regulatory agency. During the hearing, Johnson, who is also counsel for the Open Radio Access Network Policy Coalition, emphasized this point. He said greater involvement of the Commerce Department—where NTIA is housed—in general is important for public-private partnership, as opposed to the government prescribing rules for industry, something the current administration has come closer to doing after recent high-profile cyberattacks.
“They’re a crucial part of the process because, as I’ve said a couple of times today, they’re the only agency whose core mission is promoting American business and innovation, which underlies American strength and insecurity,” he said.