The Senate fumbled on cyber legislation as it headed out the door for a month-long recess, but perhaps set the stage for success in the fall by separating the debate on information-sharing from assorted “poison pills” that had varying degrees of relevance to cybersecurity.
Majority Leader Mitch McConnell, R-Ky., and Minority Leader Harry Reid, D-Nev., on Aug. 5 ended nearly a week of back-and-forth proposals — and acrimonious public comments — on how even to proceed to the Cybersecurity Information Sharing Act (CISA) by wearily agreeing to postpone consideration until September.
They would fold the process for consideration of the so-called CISA bill into a broader deal on debating the Iran nuclear accord, with an agreement that cybersecurity could come up, at the leaders’ discretion, following the Iran debate in September.
Prior to that, McConnell and Reid traded barbs all week along with their proposals for getting the CISA debate started. The Republican leader said he was taking Reid at his word that the debate could be wrapped up in two days. Reid countered that McConnell was jamming the Democratic caucus and refusing to allow an adequate debate on amendments.
By the evening of Aug. 4, the situation appeared hopeless. A cloture motion on proceeding to the bill scheduled for the morning of Aug. 5 was delayed into the afternoon, then delayed again to allow talks to continue.
But the talks focused in large part on how the Senate would conduct its review of the Iran deal. Once that was settled, McConnell and Reid were both interested in finding an escape hatch from the standstill over CISA.
They agreed to allow the cyber bill to be brought to the floor in the fall, without the need for a risky cloture vote on proceeding. And they agreed on a list of 21 amendments that could be debated: 10 for the Republicans and 11 for the Democrats.
Proposed amendments on limiting the bill’s legal protections for industry, strengthening the privacy protections for citizens and better securing federal computer networks would be in order.
Likewise, an amendment on updating laws to better fight cyber crime would be allowed, along with an industry-sought proposal by Sen. Tom Cotton, R-Ark., to allow direct sharing between businesses and the FBI and Secret Service.
But separate issues raised by senators such as consumer data-breach notification and Electronic Communications Privacy Act reform are off the table.
A proposal by Sen. Susan Collins, R-Maine, to add mandatory cybersecurity reporting requirements for some critical infrastructure operators was disallowed.
And amendments floated by Sen. Rand Paul, R-Ky., on completely unrelated topics like defunding “sanctuary cities” and allowing firearms on military bases were kept off the list.
“We set up expeditious consideration of the cyber bill” for when the Senate returns in September, McConnell said Wednesday.
Not everyone was pleased.
Sen. John McCain, R-Ariz., fulminated against pulling the bill from the floor, directing his ire at Reid.
“I tell my colleagues on the other side of the aisle … by blocking this legislation, you’re putting this nation in danger by not allowing the United States to act against a very real threat to our very existence,” McCain said. “So I say, Mr. President, this is a shameful day in the United States Senate. I urge the Democrat leader to come to the floor and allow us to consider amendments [and] move forward with this legislation because the security of the United States of America is in danger.”
McConnell saw a brighter side to the outcome, telling reporters on Aug. 6 that this fit into his mantra of making the Senate work.
“Look, I mean, this has been an incredibly productive first six months of the new majority,” McConnell said. “For any Americans who are paying attention, there was a difference between this majority and the last one.”
McConnell added: “I would love to have finished cybersecurity this week, but we have now an agreement that will allow us to finish it in September. … We’re going to move things like cybersecurity, the TSCA legislation is another example of something important that enjoys bipartisan support, and I’m going to look for things that make a difference for the country, that can clear the Senate, a body that require 60 votes to do most things.”
Digital privacy groups like Access, the Center for Democracy and Technology and the American Civil Liberties Union are promising grassroots campaigns over the August break to drum up opposition to CISA.
These groups were not persuaded by a “manager’s amendment” developed by Intelligence Chairman Richard Burr, R-N.C., and ranking member Dianne Feinstein, D-Calif., the bill’s main sponsors, aimed at tightening the requirements on privacy and government uses of the data.
Industry groups, which swallowed hard to accept the changes in that manager’s amendment, are planning their own “myth vs. fact” efforts in support of the legislation.
In any case, senators should have a series of clear choices on cybersecurity, digital privacy and other issues, if and when the Senate takes up CISA.
The agreement between McConnell and Reid was an important step in making that happen. But a short calendar loaded with explosive issues — including the over-riding question of whether another government shutdown is coming on Oct. 1 — is perhaps the biggest obstacle to Senate action on cybersecurity.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
