The prospects for cybersecurity legislation looked bright in April, as the House passed two voluntary information-sharing bills with big bipartisan majorities.
And then the issue crashed into the realities of the Senate.
The Senate version of the info-sharing bill, which passed the Intelligence Committee in March on a 14-1 vote, never made it onto the April floor agenda despite the pleas of Intelligence Chairman Richard Burr, R-N.C., ranking member Dianne Feinstein, D-Calif., and a laundry list of major industry trade groups.
The U.S. Chamber of Commerce, the Financial Services Roundtable, the American Bankers Association, energy groups, telecommunications groups, the tech sector, retailers and others have been trying to nudge the process along, eager to get House and Senate negotiators — and the White House — into a room to hammer out a final deal.
“The goal of this legislation is to help companies achieve timely and actionable situational awareness to improve the business community’s and the nation’s detection, mitigation, and response capabilities, and action could not have come soon enough” said Bruce Josten, the Chamber of Commerce’s executive vice president for government affairs. “The Chamber now urges the Senate to take up and swiftly pass S. 754, the Cybersecurity Information Sharing Act of 2015.”
Representing huge chunks of the U.S. economy, the industry groups say they need protection from legal liability in order to engage in robust sharing of cyber threat indicators. That premise is widely accepted in Congress and the Obama administration, although serious questions remain on the structure and scope of such immunity.
Opponents of the legislation, which includes online privacy and civil liberties groups, vowed a determined campaign to block the legislation in the Senate.
“The House’s draft will now go to the Senate, which has an even worse bill waiting in the wings,” blogged Gabe Rottman of the American Civil Liberties Union after the recent House action.
Rottman wrote: “Just as the privacy and civil liberties community is engaged in a battle to reform the Patriot Act or allow it to expire, we are being forced to simultaneously jump start our efforts against a major new surveillance offensive — these so-called ‘cybersecurity’ bills that will do little to better protect our computers, but will give the government vast new authority to spy on us without any reason to think we’ve done anything wrong.”
Sen. Ron Wyden, R-Ore., the lone vote against the legislation in the Intelligence Committee, pledged to fight the measure on the floor. Other Democratic senators including Patrick Leahy of Vermont are concerned about the adequacy of privacy protections in the bill.
An intense debate over cybersecurity and privacy is coming in the Senate, but first the measure must be brought to the floor.
To the dismay of House sponsors and industry groups, April came and went without Senate floor action.
Since the cyber bill passed the Intelligence Committee on March 12, Senate floor time has gone toward a lengthy budget debate, a Medicare fix, the Loretta Lynch nomination to be Attorney General, other nominations and a human trafficking bill.
A resolution on the Iran nuclear deal has consumed the Senate since last week. A vote on the House-Senate budget agreement and fast-track trade authority are up next, slipping into the queue ahead of cybersecurity.
Most ominously for info-sharing supporters, the Senate will likely consider the USA Patriot Act before getting to the cyber bill. Surveillance provisions in the Patriot Act expire June 1 so lawmakers face a serious time crunch on this issue.
In fact, all of the measures on the Senate agenda are important and urgent.
But as House Homeland Security Chairman Michael McCaul, R-Texas, put it in a speech earlier this year at the Center for Strategic and International Studies, cyber threats are immediate and rank as a defining generational challenge.
“These threats are not just looming on the horizon,” said McCaul. “They are not hypothetical, they’re real. They are already inside our networks, and they are putting our security and prosperity in peril. Safeguarding the digital frontier is one of the leading national security challenges of our time, and our generation will not back down from that challenge.”
McCaul has been warning his fellow lawmakers that a failure to act now will be held against them, when a major cyber attack hits the United States.
“It is clear that we have been losing ground against our adversaries in cyberspace,” McCaul said at CSIS. “But better cyber threat information sharing will help us turn the tide and defend our networks against destructive intrusions.”
McCaul’s info-sharing bill passed the House on a 355-63 vote. The bill produced by the House Intelligence Committee passed on a 307-116 vote.
The two measures were subsequently merged and sent to the Senate last week as a unified bill, H.R. 1560.
The Senate will be in session for three weeks prior to the Memorial Day recess. It’s difficult, though not impossible, to see cyber legislation getting onto the schedule in that time frame. More likely is a slot sometime in June.
Eventually, House and Senate negotiators will have to iron out differences over liability protection, whether to “sunset” the legislation after seven years, and the demands on industry to remove personally identifiable information from data.
But if the Senate can actually pass a bill, those negotiations may be seen as the easy part.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
