The Senate’s overwhelming passage of cybersecurity legislation last week should set the stage for quick final action on an issue of vital importance to the nation’s economy and security.
But will it?
The Senate on Tuesday ended more than three years of legislative stalemate by passing the Cybersecurity Information Sharing Act on a 74-21 vote, after defeating a half-dozen floor amendments designed to improve the measure’s privacy protections.
The House in April passed two cyber info-sharing bills: An Intelligence Committee-passed measure cleared the House on a 307-116 vote, while a Homeland Security Committee bill passed the House 355-63.
The two House measures were mashed together for an ultimate conference with the Senate, leaving at least a few contradictory elements to sort out later in the process.
The House and Senate approaches contain more similarities than differences, including the emphasis on voluntary sharing of cyberthreat indicators between industry and government, with liability protection for companies.
With the Obama administration coming on board for providing legal immunity to encourage companies to share, the biggest fundamental issue seemed to be addressed at the very start of the process.
But not so fast.
The first potential stumbling block appears to be timing for getting a final version completed. The House and Senate must appoint negotiators, who will hammer out the details with the White House sitting at the table. Then the consolidated measure goes back to the House and Senate for final votes.
House sources said they could see the entire episode being wrapped up before Christmas.
Senate Intelligence Chairman Richard Burr, R-N.C., on the other hand, told reporters that this will not be a speedy process.
The issue is complicated: the calendar is studded with holidays, other issues are vying for lawmakers’ attention, and — to top it off, Burr said — the House leadership turnover inevitably slows things down.
Burr said he would immediately begin informal talks with his House counterparts, but cautioned that he didn’t expect resolution until the new year.
If one of his negotiating partners, House Intelligence Chairman Devin Nunes, R-Calif., were to replace new Speaker Paul Ryan, R-Wis., as chairman of the Ways and Means Committee, Nunes would leave the Intelligence Committee and the conference on the cyberbill would be hobbled from the beginning.
When it comes to the substance, the negotiators from the House, Senate and White House can focus on plenty of common ground, but the nuanced differences in the bills could take awhile to work through.
One big issue from the White House’s perspective involves “defensive measures,” the steps companies can take in response to a cyberattack. House and Senate bill sponsors say they have developed careful safeguards to ensure private entities don’t wage their own cyber counter-attacks. The administration continues to raise concerns.
Participants will face continued calls from Sen. Ron Wyden, D-Ore., and other privacy advocates to strengthen the privacy protections, an area where the White House has generically signaled a need for some improvement.
Wyden noted the 41 votes his amendment on privacy gained in a losing effort. That was “a lot more” than he had earlier this year at the start of an ultimately successful effort to rein in National Security Agency surveillance activities, Wyden asserted, saying support will grow for better privacy protection in the cyber legislation.
“There’s no question I’m going to make sure the Senate is back at this,” he said.
The White House, though, seems comfortable with the Senate approach to ensuring privacy in the sharing process, and has reserved most of its criticism on that score for the House Intelligence Committee bill.
The administration’s own proposal provided “targeted liability protections, while carefully safeguarding privacy, confidentiality, and civil liberties, all the while preserving the longstanding respective roles and missions of civilian and intelligence agencies,” White House deputy press secretary Eric Schultz told reporters last week.
“The Senate’s passage, with strong bipartisan support — I think it’s notable and worth mentioning Sen. Dianne Feinstein, Sen. Tom Carper, and Sen. Burr, in particular, for their support for this information-sharing bill that upholds these principles and that this is an important step towards better protecting the nation’s networks from malicious cyber actors.”
The Senate bill requires companies to share through a “portal” at the Department of Homeland Security in order to get liability protection. That, sponsors say, would ensure a uniform approach to privacy and other issues.
One of the House bills directed Homeland Security to establish such a portal, which it has done already, while the other would allow direct sharing between industry and multiple federal agencies.
The Senate soundly rejected an amendment by Sen. Tom Cotton, R-Ark., that would have allowed direct sharing between industry and law enforcement.
The House approach also requires “reasonable” efforts to remove personal information that may be included in shared data. The Senate says industry and the government must remove data “known at the time of sharing” to include personal information.
It’s a subtle difference that has launched a furious lobbying effort. Industry groups fear the House language is ambiguous and fodder for lawsuits. An amendment was narrowly defeated on the Senate floor last week that would have moved in the direction of the House.
While online privacy groups tee off on the “known at the time” formulation and the rest of the proposed sharing process as unacceptable, industry groups are targeting their own list of provisions for change or deletion.
Business groups especially want to eliminate language by Sen. Susan Collins, R-Maine, that would require a study of cyber vulnerabilities at 60-plus private-sector entities where an attack could have catastrophic consequences. Industry groups see it as a bridge to regulation.
Collins expressed incredulity at the criticism, saying the language would have no impact on more than 99 percent of industry.
None of these issues should pose a fatal roadblock for cyber info-sharing legislation, especially after the historic Senate vote ended years of futility in that chamber.
But as always on Capitol Hill, the biggest challenge may be in just getting started.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
