As Congress gets ready to return from its election break for a short lame duck session it faces many pressing issues (taxes and the budget to name just two). Some on Capitol Hill are hoping to include comprehensive cybersecurity legislation on the list of things to do. Others think that the chances of legislation this year are slim.

Those who counsel caution are correct. Cybersecurity legislation is too important to hurry. As a panel of speakers made clear during a session at The Heritage Foundation last week, a number of important questions remain, most particularly those pertaining to the scope of Federal authority over the private sector.

This past year has seen significant clarification in Congress’ thinking. Some of the early ideas for a broad Presidential authority to turn on an “internet kill switch” have been narrowed to real crisis situations.  But other disputes about the legislation remain—most notably where ultimate authority for cybersecurity operations should be housed within the Federal government. It matters, profoundly, whether the Department of Homeland Security or the Department of Defense takes the operational lead for protecting America’s cybernet, and that decision warrants more discussion.

Cybersecurity legislation is essential. Too much is happening by Executive action without the input of our elected representatives. If the next session of Congress does not produce a comprehensive, consensus bill, everyone should be disappointed. But for now the time is not ripe and Congress would be wise to give this issue its full consideration next year.