Two comments on Capitol Hill last week neatly summed up the start-and-stop nature of policymakers’ efforts to address the increasingly dangerous threats to the nation in cyber space.
First, Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, testified before Senate appropriators that the private-sector operators of critical infrastructure are a potential “Achilles’ heel” in our nation’s cyber defenses.
Private companies need to do more, Dempsey warned, and Congress needs to give them the tools to do so. That includes new authority to share cyber threat indicators among themselves and with government.
Dempsey has made these points before.
And while industry representatives privately grumble that the military neither appreciates nor fully understands companies’ (quite expensive) efforts on cybersecurity, the need for a new law on info-sharing is widely accepted in the Obama administration, Congress and the private sector.
Which brings us to the second comment: Sen. John Cornyn of Texas, number two in the Senate GOP hierarchy, told InsideCybersecurity.com that the Senate won’t get around to cybersecurity legislation this month.
Maybe in June, Cornyn said.
At the same time, Cornyn expressed confidence that the info-sharing legislation will make it into law this year, after falling short in the previous two Congresses.
Two information-sharing bills passed the House in April with big bipartisan majorities and supporters hoped, briefly, that they could ride the momentum to a quick win in the Senate.
That didn’t happen, of course. The Senate’s Cybersecurity Information Sharing Act, known as CISA, fell behind a long, complicated debate over an Iran nuclear resolution, as well as trade and highway funding bills.
And it fell behind the long, complicated debate over surveillance provisions of the USA Patriot Act that expires on June 1.
With the Senate in session only this week and next before taking off for a week-long Memorial Day recess, addressing the surveillance issue took priority over moving the CISA bill during this work period.
But there may be a bright side here for supporters of info-sharing legislation, as Cornyn suggested.
After a series of physically and politically draining floor debates this month, many senators may be interested in making fast work of a cyber info-sharing bill that passed the Senate Intelligence Committee on a 14-1 vote.
And depending on its outcome, the Patriot Act debate could take some of the steam out of the opposition to the cyber info-sharing legislation.
There are three probable outcomes to the upcoming debate centered on the expiring sections of the Patriot Act that provide the legal basis for the National Security Agency’s domestic bulk data-collection activities. (A federal appeals court last week ruled the NSA had vastly exceeded its authority in scooping up the data. The political ramifications of that decision remain to be seen.)
In the coming days the Senate could agree to extend the current surveillance authority for a short period of time, but certainly won’t agree to extend it for five years, as proposed by Majority Leader Mitch McConnell, R-Ky.
That probably wouldn’t do much to help advance the separate cyber info-sharing bill.
The other options are passing a Patriot Act reform bill that curtails some NSA activities and imposes stricter oversight on others, or simply allowing sections of the Patriot Act to expire at the end of the month.
Privacy and civil liberties groups have warned that handing the government new authority to share cyber threat data with industry is rife with the possibility of unintended consequences unless the NSA programs are addressed first.
“Reining in the NSA prior to Senate consideration of CISA would help with that consideration because CISA would channel so much user information to the NSA,” according to Gregory Nojeim of the Center for Democracy and Technology.
Technology groups, still facing blowback in European and other markets over the Snowden leaks, are pushing for passage of both NSA reform and a tightly structured information-sharing bill that clearly keeps the NSA out of the loop.
The Information Technology Industry Council praised the House Judiciary Committee for passing NSA reforms in the USA Freedom Act, which should be on the House floor this week.
Other industry groups that support the cyber info-sharing legislation have kept their distance from the Patriot Act/Freedom Act debate. That one is “fraught with baggage,” as an industry source put it.
Still, some industry lobbyists agree that expiration or a significant NSA reform, regardless of the policy merits, would improve prospects for the cyber info-sharing bill.
The Senate has a lot on its agenda for the rest of the month, but the headaches and heavy lifting in May may pave the way for floor success in June on cybersecurity.
Keep an eye on the calendar: The Senate is in session for four weeks in June, and then for five weeks before knocking off for a month-long summer recess.
The Senate will need to first pass CISA, then reconcile the measure with the House-passed info-sharing legislation. Then the final version will have to pass the House and Senate one more time.
By that point, supporters hope all the drama has been drained out of the process and the measure will be sent to the president, in October at the latest, with near-unanimous support in Congress.
That’s the hope, anyway. But watch the calendar.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
