The euphoria accompanying Senate passage of long-awaited cybersecurity information-sharing legislation quickly gave way to the realities on Capitol Hill, where the cyber issue promptly dropped down the list of priorities.
Efforts to build on the momentum of the 74-21 Senate vote for the Cybersecurity Information Sharing Act — and get the measure into final negotiations with the House — are still waiting to get off the ground.
A first step would be appointment of House-Senate conferees, but that hasn’t happened and doesn’t appear imminent.
Legislation to encourage information sharing between government and business is the top cybersecurity policy priority for many industry groups — and has been for the past three Congresses.
Such legislation won’t stop breaches, advocates acknowledge, but would provide a better picture of the threat environment across the U.S. economy and help limit the damage from an ever-growing wave of cyberattacks.
Actually getting an info-sharing measure through the Senate was a singular accomplishment that set the stage for final action on the issue.
But Intelligence Committee Chairman Richard Burr, R-N.C., whose bill sailed through the Senate on Oct. 27, last week reiterated his belief that the measure won’t be reconciled with House-passed legislation until next year.
Burr said action on an annual “authorization” bill for the intelligence community is his near-term priority.
House members and staffers were more optimistic about the outlook.
“I hope to get it done this year — that shouldn’t be that ambitious,” said Rep. Adam Schiff of California, the top Democrat on the House Intelligence Committee. Schiff forged a strong partnership with House Intelligence Chairman Devin Nunes, R-Calif., on that committee’s info-sharing bill, which cleared the House on a 307-117 vote in April.
“I hope we can move forward expeditiously,” Schiff said. “I don’t want to see this kicked over to next year.”
According to Schiff, three issues must be resolved in House-Senate negotiations, but getting that done shouldn’t be too heavy a lift.
Negotiators have to decide whether industry must share threat indicators through a “portal” at the Department of Homeland Security in order to get related liability protection. That’s the approach in the Senate bill while the House measure would allow sharing with other government entities, including law enforcement agencies.
Schiff said he actually favors the Senate approach, which is also encouraged by a second House-passed cyber bill developed by the House Homeland Security Committee. The two House bills were pressed together for purposes of conferencing with the Senate, leaving the issue of “portals” to be decided later.
Negotiators also must resolve how to minimize the potential sharing of personally identifiable information and settle on what the government should be allowed to do with threat indicators it receives from industry, according to Schiff.
The fact that the House cyber legislation is actually the handiwork of two committees, mashed together rather bluntly, poses a procedural problem, according to Sen. Dianne Feinstein of California, the top Democrat on the Senate Intelligence Committee and Burr’s partner on the CISA bill.
Feinstein and Burr were planning to discuss this issue, which sources on the House side said shouldn’t be viewed as a problem at all.
Here’s a real problem: The House is out the week of Nov. 9 and the two chambers will be in session concurrently only for four more weeks this year, under the published schedule.
“I said we shouldn’t expect it until next year,” Burr told a reporter last week as he hurried into the Senate chamber to vote.
Does it actually matter if the legislation slips over until next year?
Procedurally, maybe not. The feared encroachment of presidential election-year politics into the cybersecurity debate never materialized on the Senate floor last month, although Sen. Rand Paul, R-Ky., made a brief floor speech and offered an amendment calling for greater privacy protections.
The recent bipartisan budget and debt-ceiling deal means lawmakers should be operating under something approaching “regular order,” rather than the perpetual legislating-by-crisis atmosphere of recent years.
That means finding a floor slot, even at the beginning of a presidential election year, might not be as challenging as previously assumed.
The lopsided vote in favor of CISA last month also should assuage lawmakers’ fears that the online privacy community would make this issue too hot to touch.
But does such a delay matter in the practical world of trying to secure cyberspace?
The key congressional backers of the legislation clearly think so, as do their allies representing almost every major sector of the U.S. economy.
Some in the security world believe the benefits of this legislation, based on incentivizing sharing through liability protection, are oversold and say the important aspects of sharing are already taking place.
But allowing final action to drag out into next year almost certainly won’t improve the legislative product: The basic thrust of the content is a done deal.
It merely delays the point at which policy makers will have a clearer understanding of how all of these various tools work together, and are able to better determine what’s actually effective in cybersecurity.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
