The Senate’s Cybersecurity Bill Is in Trouble

Significant hurdles remain for the Senate’s proposed cybersecurity legislation, which is competing with at least two other issues for a vote before recess.

Majority Whip John Cornyn
National Journal
July 28, 2015, 4:01 p.m.

After a pair of massive cy­ber­at­tacks com­prom­ised the per­son­al in­form­a­tion of more than 22 mil­lion people, most of whom work or worked for the gov­ern­ment, law­makers saw an op­por­tun­ity to push for cy­ber­se­cur­ity le­gis­la­tion that has been stuck in Con­gress for years.

Des­pite the calls for ur­gency, passing a bill won’t be easy.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, or CISA, a Sen­ate bill in­ten­ded to fa­cil­it­ate the ex­change of cy­ber­threat in­form­a­tion between the private sec­tor and the gov­ern­ment, has been dogged by con­flict and con­cerns about over­reach, and is fall­ing prey to par­tis­an fights that have noth­ing to do with the is­sue.

Al­though the plan was to turn to CISA after the high­way bill gets a vote, ac­cord­ing to mul­tiple Sen­ate sources, sen­at­ors may in­stead take up a meas­ure that would de­fund Planned Par­ent­hood — eat­ing in­to time the Sen­ate needs to vote on CISA. There’s also a pos­sib­il­ity that Ma­jor­ity Lead­er Mitch Mc­Con­nell will send law­makers home this week after they vote on a high­way fund­ing bill, leav­ing the cy­ber­se­cur­ity bill for the fall.

“I’m sad to say I don’t think that’s go­ing to hap­pen,” Ma­jor­ity Whip John Cornyn said Tues­day about a vote on the CISA bill, ac­cord­ing to The Hill. “I think we’re just run­ning out of time.”

Ex­tra time could help. The cy­ber­se­cur­ity bill has nu­mer­ous polit­ic­al hurdles to clear that may not be eas­ily ne­go­ti­ated dur­ing the first week of Au­gust, when sen­at­ors’ minds turn to re­cess. Many sen­at­ors also hope to have time to pro­pose fur­ther amend­ments to the bill, which may not be pos­sible dur­ing a rushed Au­gust sched­ule.

Here’s a run­down of the prob­lems fa­cing the cy­ber bill:

Out­stand­ing pri­vacy con­cerns

The in­form­a­tion-shar­ing bill has long been op­posed by pri­vacy ad­voc­ates, who say it would ef­fect­ively broaden the gov­ern­ment’s powers to spy on Amer­ic­ans.

A let­ter sent Monday from a co­ali­tion of se­cur­ity ex­perts, civil-so­ci­ety or­gan­iz­a­tions, and pri­vacy groups urges Pres­id­ent Obama to is­sue a veto threat, ar­guing that CISA would res­ult in Amer­ic­ans’ private in­form­a­tion be­ing shared with the gov­ern­ment, and cri­ti­ciz­ing it for al­low­ing the in­form­a­tion gathered from private com­pan­ies to be used for pur­poses oth­er than cy­ber­se­cur­ity.

“While cy­ber­se­cur­ity threats con­tin­ue to be a sig­ni­fic­ant prob­lem war­rant­ing con­gres­sion­al ac­tion, CISA goes well bey­ond au­thor­iz­ing ne­ces­sary con­duct, to au­thor­iz­ing dan­ger­ous con­duct, and un­ne­ces­sar­ily harm­ing pri­vacy,” said the Cen­ter for Demo­cracy and Tech­no­logy on its blog Tues­day. “Its broad use per­mis­sions sug­gest that the le­gis­la­tion is as much about sur­veil­lance as it is about cy­ber­se­cur­ity.”

Con­flict with House bills

There are cur­rently two bills in the House that com­ple­ment the Sen­ate’s cy­ber­se­cur­ity le­gis­la­tion, but re­con­cil­ing the House bills — and then squar­ing the res­ult with the Sen­ate ver­sion — may prove to be very dif­fi­cult.

The two House bills ori­gin­ated from dif­fer­ent com­mit­tees: One came from the House Home­land Se­cur­ity Com­mit­tee, and the oth­er from the House In­tel­li­gence Com­mit­tee. Al­though they are sim­il­ar in many ways, they dif­fer on some key points, in­clud­ing on li­ab­il­ity pro­tec­tion and pri­vacy pro­vi­sions.

What’s more, neither cur­rently lines up with the le­gis­la­tion un­der con­sid­er­a­tion in the Sen­ate, which trades few­er pri­vacy pro­tec­tions for more se­cur­ity pro­vi­sions.

House Home­land Se­cur­ity Com­mit­tee Chair­man Mi­chael Mc­Caul said last month that the Sen­ate’s ver­sion of the bill would be dead on ar­rival in the House, be­cause it could trig­ger fears of ex­pan­ded sur­veil­lance.

“My con­cern is that they have an NSA in­form­a­tion-shar­ing com­pon­ent in there that I think would be prob­lem­at­ic in many ways in the House,” Mc­Caul said at a Na­tion­al Journ­al event. “I’ve warned them that if that kind of bill comes back, it’s not go­ing to pass, and that’s the polit­ic­al real­ity.”

A con­gres­sion­al aide said Tues­day that Mc­Caul has not changed his mind about the cur­rent Sen­ate bill, but that he is “sup­port­ive of Sen­ate ac­tion and is op­tim­ist­ic the House and Sen­ate can come to­geth­er in con­fer­ence, if the Sen­ate were to pass their bill, to work out re­main­ing con­cerns.”

Un­clear White House sup­port

Al­though Pres­id­ent Obama strongly sup­ports in­form­a­tion-shar­ing le­gis­la­tion, and has pro­posed his own mod­el bills, the White House has not stated a spe­cif­ic po­s­i­tion on Sen­ate cy­ber­se­cur­ity bill.

Asked about the bill in June, White House press sec­ret­ary Josh Earn­est did not com­ment on the pro­posed le­gis­la­tion, in­stead point­ing to the White House’s pro­pos­al. “We have pretty ag­gress­ively ad­voc­ated con­gres­sion­al pas­sage of that le­gis­lat­ive lan­guage,” he said.

The ad­min­is­tra­tion pub­licly came out in sup­port of the two House bills in April, but has in the past is­sued veto threats against an in­form­a­tion-shar­ing bill it said did not go far enough to pro­tect Amer­ic­ans’ pri­vacy.

Ques­tions about ef­fect­ive­ness

In ad­di­tion to rais­ing pri­vacy con­cerns, some se­cur­ity ex­perts say in­form­a­tion-shar­ing le­gis­la­tion would do little to im­prove cy­ber­se­cur­ity.

The sheer volume of in­form­a­tion that would be dis­sem­in­ated un­der the bill would over­whelm law en­force­ment and in­tel­li­gence en­tit­ies that would have to pick through it, they say, and find­ing the needle in the hay­stack would be very dif­fi­cult.

“CISA does not work. Private in­dustry already has ex­actly the in­form­a­tion shar­ing the bill pro­poses, and it doesn’t pre­vent cy­ber at­tacks as CISA claims,” wrote Robert Gra­ham, a se­cur­ity ex­pert and re­search­er, on his blog in March, when the bill was in­tro­duced. “On the oth­er side, be­cause of the false-pos­it­ive prob­lem, CISA does far more to in­vade pri­vacy than even pri­vacy ad­voc­ates real­ize, do­ing a form of mass sur­veil­lance.”

Sen. Ron Wyden, a Demo­crat from Ore­gon and a long­time sup­port­er of di­git­al pri­vacy in the Sen­ate, also said CISA would “have a lim­ited im­pact on U.S. cy­ber­se­cur­ity” in a March state­ment.

Wyden, the only mem­ber of the Sen­ate In­tel­li­gence Com­mit­tee to vote against the bill when it was passed in March, has called CISA a “sur­veil­lance bill by an­oth­er name” and has been act­ive on Twit­ter with the hasht­ag #Stop­CISA, cred­it­ing pri­vacy ad­voc­ates with pres­sur­ing Con­gress not to pass the bill.

If and when CISA goes in front of the Sen­ate — wheth­er it’s this month or in the fall — Wyden and his pri­vacy-minded al­lies will likely mar­shal a heated op­pos­i­tion to the meas­ure, fur­ther com­plic­at­ing its path to the pres­id­ent’s desk.

What We're Following See More »
Mueller Made 14 Criminal Referrals
8 hours ago
The Report Is Here
15 hours ago
Nadler Asks Mueller to Testify By May 23
16 hours ago
Barr OK With Mueller Testifying
16 hours ago
Report Finds 10 Episodes of Potential Obstruction
16 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.