In a major breakthrough, Senate leaders are pledging to bring up a long-stalled information-sharing legislation before decamping in three weeks for a month-long recess.
Senate Majority Leader Mitch McConnell, R-Ky., said the bill would reach the floor this summer. Majority Whip John Cornyn, R-Texas, told The Hill newspaper last week that the bill will be considered sometime the week of Aug. 3, just before the Senate adjourns for its summer break on Aug. 7.
“I think it will be on the floor this work period,” a newly optimistic Senate Intelligence ranking member Dianne Feinstein, D-Calif., told InsideCybersecurity.com. Feinstein co-sponsored the bill with Intelligence Chairman Richard Burr, R-N.C., and has been championing info-sharing legislation over the past three Congresses.
Action on this bill is the top priority for congressional leaders on cybersecurity issues, and for major trade associations representing the nation’s critical infrastructure such as banks, telecommunications, gas and electricity, and many others.
The House passed similar legislation in April, merging bills produced by the Intelligence and Homeland Security committees in that chamber.
The legislation would allow companies to share with the government any threat indicators popping up on their networks that signal an unfolding cyberattack. It includes liability protection shielding the companies from certain lawsuits, and government regulatory actions related to the data they share.
The business community and many in government — including the Obama administration — agree that at least some level of immunity is needed; otherwise companies simply won’t take the legal risk of exchanging cyber information with government. The appropriate level of protection has been the sticking point going back to at least 2012.
There is work to do — within the Senate, between the House and Senate, and between lawmakers and the White House.
But info-sharing legislation now appears closer than ever to completion. If the Senate can pass its bill before the August recess, three-cornered House-Senate-White House negotiations can get started.
The Senate and House versions contain different approaches to liability protection for industry, the government entities that can receive threat data directly from companies, and on a handful of other matters. The House also included a seven-year sunset in its legislation, meaning a future Congress would have to reauthorize the program.
Resolution of those issues could lead to a signing ceremony by the time annual “Cybersecurity Awareness Month” festivities kick off in October.
There are catches.
For one, McConnell may squeeze the Senate’s CISA floor debate into two days right before the recess begins on Aug. 7. That would put a hard deadline on the debate and perhaps limit the opportunity for amendments.
From the perspective of bill supporters, that could keep out tangential issues such as controversial amendments on consumer data-breach notification.
The potential negative is that it could stir up yet another damaging procedural fight between McConnell and Minority Leader Harry Reid, D-Nev.
Reid last month said the cyber legislation would only need two days on the floor. He was trying to block an earlier procedural move by McConnell. But now, the GOP leader may be taking the offer literally and challenging Democrats to put their votes where their rhetoric is on the importance of passing this cyber bill.
Sen. Chuck Schumer of New York, a key member of the Democratic leadership, suggested he would support the bill as reported by the Intelligence Committee. “I’d like to see the bill strengthened a little bit, but I’d take it right now because we’ve done nothing on cyber for a long time,” he said.
But privacy and civil liberties advocates were unappeased by personal privacy elements added to the bill in the Senate Intelligence Committee last spring, and see cyber info-sharing as a kind of follow-on to National Security Agency surveillance activities that have sparked so much controversy.
“We will have privacy amendments,” Sen. Ron Wyden, D-Ore., said last week. He called cybersecurity a serious problem and noted that a company in his own state, Solar World, was hacked by the Chinese. “Information sharing can play an important role,” he said, “but without adequate privacy protections, it’s a surveillance bill.”
Wyden said there will be “a number of strong amendments” on privacy and civil liberties offered during the floor debate. “I don’t believe I’ll be alone,” he added.
Feinstein countered that bill sponsors have “bent over backwards” to address privacy concerns. “We put 13 privacy amendments in the bill already, based on input from the privacy community,” Feinstein said. Privacy issues may need to be revisited in the future, according to Feinstein, who added, “That’s a discussion for another day.”
Sen. Richard Blumenthal, D-Conn., an ally of Wyden’s on civil liberties issues, said the info-sharing debate offers a unique opportunity to improve individual privacy rights in the cyber age. “We should have a full debate,” Blumenthal said. “Few significant measures are done in 48 hours.”
In addition to privacy protections, other senators say they will offer amendments on their own cybersecurity priorities during the CISA bill debate, which could further complicate final passage.
Sen. Sheldon Whitehouse, D-R.I., last week said he plans to offer an amendment creating a national data-breach notification standard. He will also offer his proposal on updating criminal laws to fight hacking.
The cyber info-sharing bill seems to be advancing, which comes as a huge relief to its supporters.
But this could get messy.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
