The Obama administration has always been partial to its own proposals on cybersecurity.
President Obama has tossed a cybersecurity information-sharing proposal into the mix on Capitol Hill, but it remains to be seen whether the White House approach will gain any legislative traction.
Likewise, lawmakers are working on their own bills but those measures could get the cold shoulder from the executive branch.
An information-sharing bill is the top cyber legislative priority for the president, key lawmakers and much of industry. But getting one through Congress this year will require breaking old patterns.
During Obama’s first term, a White House-led, interagency task force spent two years developing a broad legislative plan on cybersecurity, only to see the measure utterly ignored on Capitol Hill.
In turn, the White House played nice in 2011 and 2012 as Sens. Joseph Lieberman, since retired, and Susan Collins pushed a cybersecurity bill that would have mandated new requirements for U.S. industry.
The administration’s support for that measure was lukewarm at best, and when the bill went up in flames on the Senate floor in late 2012, there were few tears at the White House.
“The administration took something of a hands-off approach,” said a former cybersecurity official in the Obama administration. “They didn’t want to spend a lot of political chips on something that looked like it might be unsuccessful and was going to be unpopular with the private sector.”
Amid the ashes of Lieberman-Collins, the administration was ready to leap in with an executive order and presidential policy directive that would include many elements of its own, shunned legislative proposal.
The executive order and policy directive were released in February 2013 and have largely guided the federal government’s cybersecurity strategy ever since.
Those documents stressed collaboration with the private sector, industry-driven standards and better organization of the federal government to confront cybersecurity challenges.
There was one missing piece, which players on both ends of Pennsylvania Avenue recognized: A new law was needed to promote cyberthreat information sharing between government and the private sector.
In a bit of “After you, my dear Alphonse,” the White House urged lawmakers to take the first step on information-sharing legislation, encouraged them along and took every opportunity to publicly note how important this was to filling gaps in national cybersecurity.
Still, the administration never produced its own bill and opposed, to varying degrees, everything that emerged from Congress on the issue.
A bill championed by retired House Intelligence Chairman Mike Rogers, R-Mich., that passed the House — twice — with a sizable bloc of Democratic votes didn’t pass the White House test for ensuring the protection of privacy and civil liberties.
The appearance of the Edward Snowden leaks, beginning in June 2013, spelled doom for the bill by Rogers and Democrat Dutch Ruppersberger of Maryland.
After more than a year of backstage negotiations, Sen. Dianne Feinstein, D-Calif., and now-retired Sen. Saxby Chambliss, R-Ga., produced a bill in the summer of 2014 that they thought would meet the demands of the White House and online privacy advocates.
It didn’t.
The measure passed the Senate Intelligence Committee on a 12-3 vote, but the administration never signed on despite months of on-again, off-again negotiations.
Then-Senate Majority Leader Harry Reid, D-Nev., had no interest in bringing it up during last year’s lame-duck session without some sign of support from the president, so the measure quietly died.
Now, the issue is back, the Obama administration appears fully engaged and the lines of demarcation are starting to reveal themselves on Capitol Hill.
The president has a proposal — actually introduced this time, by Sen. Tom Carper, D-Del. — that includes targeted liability protection for industry.
New Senate Intelligence Chairman Richard Burr, R-N.C., and Feinstein, now the committee’s ranking member after previously serving as chairman, are expected to introduce a bill this week. That measure would expand the liability protection for industry beyond the administration’s approach.
The new House Intelligence chairman, Rep. Devin Nunes, R-Calif., is close to producing a bill and will hold a hearing on March 5. The House and Senate Intelligence leaders have been working together closely on the legislation, according to sources.
And House Homeland Security Chairman Michael McCaul, R-Texas, is promising an information-sharing bill too.
McCaul may, in fact, be the key spoke in the cybersecurity wheel this year.
He held a hearing on the Obama proposal last week — so far the only hearing devoted to considering that measure. And McCaul clearly has developed a rapport on cybersecurity with leaders of the Department of Homeland Security and other administration security officials.
While intelligence committee leaders were desperately pushing for action on their info-sharing bills last year, Homeland Security Under Secretary Suzanne Spaulding and other senior administration officials were favorably pointing to smaller-scale cybersecurity bills produced by McCaul’s committee .
Now, rather than dismissing the Obama plan for alleged shortfalls on liability protection, as other Republicans and some industry leaders have done, McCaul is stressing common ground and downplaying differences.
McCaul likes the way the Obama plan positions Homeland Security as the main “portal” for sharing threat information with the private sector, and suggests the administration may go along with enhanced liability protections.
The outcome is far from certain, but the pieces are now in place for a robust debate over cybersecurity and information sharing.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
