The cyberattack on Sony Pictures creates an opening for Congress to tackle the most pressing and controversial cybersecurity policy problem left unfinished amid a flurry of legislative action in December: information-sharing legislation with liability protection for U.S. businesses.
Washington blamed North Korea for the Sony attack, in which the company’s computer systems were hacked and sensitive data were leaked or destroyed. North Korea denied the charges and blamed the United States for retaliatory attacks on its own Internet system.
But after hacks at JPMorgan Chase, Target and other companies elicited a collective yawn, policymakers and industry lobbyists realized the Sony breach was of a different order of magnitude.
President Obama, lawmakers and business leaders all quickly asserted that the breach highlights the need for a tighter, faster system allowing the public and private sectors to share so-called threat indicators, the telltale signs of an unfolding cyberattack.
“Before Sony, I thought we’d have a little time to address other issues” before getting into cybersecurity, Sen. Ron Johnson, R-Wis., said in a recent interview with InsideCybersecurity.com. “But I want to take advantage of the public awareness” generated by the devastating attack on Sony Pictures, he said.
Johnson, the new chairman of the Senate Homeland Security and Governmental Affairs Committee, joins a revamped lineup of cybersecurity leaders in Congress.
Sen. Richard Burr, R-N.C., is taking over the Senate Intelligence Committee, while Rep. Devin Nunes, R-Calif., is the new chairman of the House intelligence panel. Rep. Michael McCaul, R-Texas, returns for his second term as House Homeland Security chairman and has made cybersecurity a high priority.
The lame-duck session of the 113th Congress passed a handful of housekeeping measures that clarified how the federal government is organized to respond to cyberthreats and interact with critical infrastructure operators who are often the targets of attacks.
Obama signed the bills and Johnson called them “nice steps” that help the government get its own house in order.
Now, the new 114th Congress has a chance to take a bigger step with information-sharing legislation that industry, the White House and key lawmakers say is critical to protecting infrastructure.
Johnson called information sharing “the 800-pound gorilla” in the cyber policy debate and pegged it as his top priority. His panel wasn’t the primary committee of jurisdiction over the issue in the last Congress.
“There are multiple lines of jurisdiction and I don’t see that changing,” Johnson acknowledged. “But I have a history of collaborating with both sides of the aisle and with the House.”
Obama stressed the need for information-sharing legislation during his Dec. 19 year-end press conference, which featured a rare extended exchange with reporters on cybersecurity.
Obama said he would work with Congress to pass “strong cybersecurity laws that allow for information sharing across private-sector platforms, as well as the public sector, so that we are incorporating best practices and preventing these attacks from happening in the first place.”
The House passed a bipartisan information-sharing bill in 2013 and the Senate Intelligence Committee approved a similar bill in July on a 12-3 vote.
Industry groups mounted a lobbying blitz to get the bill on the Senate’s lame-duck agenda, to no avail.
The White House, despite repeatedly calling on Congress to pass an information-sharing bill, never showed any enthusiasm for the House and Senate bills that did move in the last Congress — and didn’t press former Senate Majority Leader Harry Reid, D-Nev., to pass such a bill during the lame-duck session.
The hangup was over liability relief and adequate privacy and civil liberties protections. The American Civil Liberties Union, Center for Democracy & Technology, and dozens of civil rights and Internet privacy groups strongly opposed the House and Senate bills.
Many of them said an unrelated bill reforming National Security Agency surveillance activities must pass before they would even consider a cybersecurity information-sharing bill. NSA reform collapsed during the lame-duck session.
Johnson, for one, said Democrats and the White House were merely protecting their trial lawyer allies who are eager to sue over how sensitive data are handled.
Months of backstage discussions between the White House and the congressional intelligence committees failed to yield a compromise on information sharing, and the Obama administration let the legislation die at the end of the year.
But Johnson and other supporters of information-sharing legislation may not need the cover of NSA reform this year.
New Senate Majority Leader Mitch McConnell, R-Ky., has said he wants to ring up legislative successes and is particularly interested in bills that move through the Senate committees with bipartisan support.
An information-sharing bill would seem to meet those criteria, regardless of whether it moves through the Senate Intelligence or Homeland Security committee, or both.
Even more promising for supporters of an information-sharing bill, the new math in the Senate adds up in their favor.
It takes 60 votes to break a filibuster in the Senate, and McConnell would begin a debate over information sharing with 54 Republican votes almost certainly in hand. Toss in five Democrats who voted for the bill in the Intelligence Committee and passage is tantalizingly close.
One of those Democrats was Sen. Barbara Mikulski, who represents Maryland’s booming cybersecurity sector. Her Maryland colleague, Sen. Ben Cardin, is another possible Democratic vote. Several other Democrats might vote for a bipartisan cyber bill in the aftermath of the attack on Sony.
If a clear path for information-sharing legislation emerges in the Senate, points of contention between the White House and some in Congress may disappear.
Cyberattacks on banks, retailers and even the federal government spurred congressional action on a handful of small cyber bills late last year.
The attack on a movie studio may prove more consequential for national cybersecurity policy.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
