The Senate’s Cybersecurity Bill Is in Trouble

Significant hurdles remain for the Senate’s proposed cybersecurity legislation, which is competing with at least two other issues for a vote before recess.

Majority Whip John Cornyn
National Journal
Kaveh Waddell
Add to Briefcase
See more stories about...
Kaveh Waddell
July 28, 2015, 4:01 p.m.

After a pair of massive cy­ber­at­tacks com­prom­ised the per­son­al in­form­a­tion of more than 22 mil­lion people, most of whom work or worked for the gov­ern­ment, law­makers saw an op­por­tun­ity to push for cy­ber­se­cur­ity le­gis­la­tion that has been stuck in Con­gress for years.

Des­pite the calls for ur­gency, passing a bill won’t be easy.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, or CISA, a Sen­ate bill in­ten­ded to fa­cil­it­ate the ex­change of cy­ber­threat in­form­a­tion between the private sec­tor and the gov­ern­ment, has been dogged by con­flict and con­cerns about over­reach, and is fall­ing prey to par­tis­an fights that have noth­ing to do with the is­sue.

Al­though the plan was to turn to CISA after the high­way bill gets a vote, ac­cord­ing to mul­tiple Sen­ate sources, sen­at­ors may in­stead take up a meas­ure that would de­fund Planned Par­ent­hood — eat­ing in­to time the Sen­ate needs to vote on CISA. There’s also a pos­sib­il­ity that Ma­jor­ity Lead­er Mitch Mc­Con­nell will send law­makers home this week after they vote on a high­way fund­ing bill, leav­ing the cy­ber­se­cur­ity bill for the fall.

“I’m sad to say I don’t think that’s go­ing to hap­pen,” Ma­jor­ity Whip John Cornyn said Tues­day about a vote on the CISA bill, ac­cord­ing to The Hill. “I think we’re just run­ning out of time.”

Ex­tra time could help. The cy­ber­se­cur­ity bill has nu­mer­ous polit­ic­al hurdles to clear that may not be eas­ily ne­go­ti­ated dur­ing the first week of Au­gust, when sen­at­ors’ minds turn to re­cess. Many sen­at­ors also hope to have time to pro­pose fur­ther amend­ments to the bill, which may not be pos­sible dur­ing a rushed Au­gust sched­ule.

Here’s a run­down of the prob­lems fa­cing the cy­ber bill:

Out­stand­ing pri­vacy con­cerns

The in­form­a­tion-shar­ing bill has long been op­posed by pri­vacy ad­voc­ates, who say it would ef­fect­ively broaden the gov­ern­ment’s powers to spy on Amer­ic­ans.

A let­ter sent Monday from a co­ali­tion of se­cur­ity ex­perts, civil-so­ci­ety or­gan­iz­a­tions, and pri­vacy groups urges Pres­id­ent Obama to is­sue a veto threat, ar­guing that CISA would res­ult in Amer­ic­ans’ private in­form­a­tion be­ing shared with the gov­ern­ment, and cri­ti­ciz­ing it for al­low­ing the in­form­a­tion gathered from private com­pan­ies to be used for pur­poses oth­er than cy­ber­se­cur­ity.

“While cy­ber­se­cur­ity threats con­tin­ue to be a sig­ni­fic­ant prob­lem war­rant­ing con­gres­sion­al ac­tion, CISA goes well bey­ond au­thor­iz­ing ne­ces­sary con­duct, to au­thor­iz­ing dan­ger­ous con­duct, and un­ne­ces­sar­ily harm­ing pri­vacy,” said the Cen­ter for Demo­cracy and Tech­no­logy on its blog Tues­day. “Its broad use per­mis­sions sug­gest that the le­gis­la­tion is as much about sur­veil­lance as it is about cy­ber­se­cur­ity.”

Con­flict with House bills

There are cur­rently two bills in the House that com­ple­ment the Sen­ate’s cy­ber­se­cur­ity le­gis­la­tion, but re­con­cil­ing the House bills — and then squar­ing the res­ult with the Sen­ate ver­sion — may prove to be very dif­fi­cult.

The two House bills ori­gin­ated from dif­fer­ent com­mit­tees: One came from the House Home­land Se­cur­ity Com­mit­tee, and the oth­er from the House In­tel­li­gence Com­mit­tee. Al­though they are sim­il­ar in many ways, they dif­fer on some key points, in­clud­ing on li­ab­il­ity pro­tec­tion and pri­vacy pro­vi­sions.

What’s more, neither cur­rently lines up with the le­gis­la­tion un­der con­sid­er­a­tion in the Sen­ate, which trades few­er pri­vacy pro­tec­tions for more se­cur­ity pro­vi­sions.

House Home­land Se­cur­ity Com­mit­tee Chair­man Mi­chael Mc­Caul said last month that the Sen­ate’s ver­sion of the bill would be dead on ar­rival in the House, be­cause it could trig­ger fears of ex­pan­ded sur­veil­lance.

“My con­cern is that they have an NSA in­form­a­tion-shar­ing com­pon­ent in there that I think would be prob­lem­at­ic in many ways in the House,” Mc­Caul said at a Na­tion­al Journ­al event. “I’ve warned them that if that kind of bill comes back, it’s not go­ing to pass, and that’s the polit­ic­al real­ity.”

A con­gres­sion­al aide said Tues­day that Mc­Caul has not changed his mind about the cur­rent Sen­ate bill, but that he is “sup­port­ive of Sen­ate ac­tion and is op­tim­ist­ic the House and Sen­ate can come to­geth­er in con­fer­ence, if the Sen­ate were to pass their bill, to work out re­main­ing con­cerns.”

Un­clear White House sup­port

Al­though Pres­id­ent Obama strongly sup­ports in­form­a­tion-shar­ing le­gis­la­tion, and has pro­posed his own mod­el bills, the White House has not stated a spe­cif­ic po­s­i­tion on Sen­ate cy­ber­se­cur­ity bill.

Asked about the bill in June, White House press sec­ret­ary Josh Earn­est did not com­ment on the pro­posed le­gis­la­tion, in­stead point­ing to the White House’s pro­pos­al. “We have pretty ag­gress­ively ad­voc­ated con­gres­sion­al pas­sage of that le­gis­lat­ive lan­guage,” he said.

The ad­min­is­tra­tion pub­licly came out in sup­port of the two House bills in April, but has in the past is­sued veto threats against an in­form­a­tion-shar­ing bill it said did not go far enough to pro­tect Amer­ic­ans’ pri­vacy.

Ques­tions about ef­fect­ive­ness

In ad­di­tion to rais­ing pri­vacy con­cerns, some se­cur­ity ex­perts say in­form­a­tion-shar­ing le­gis­la­tion would do little to im­prove cy­ber­se­cur­ity.

The sheer volume of in­form­a­tion that would be dis­sem­in­ated un­der the bill would over­whelm law en­force­ment and in­tel­li­gence en­tit­ies that would have to pick through it, they say, and find­ing the needle in the hay­stack would be very dif­fi­cult.

“CISA does not work. Private in­dustry already has ex­actly the in­form­a­tion shar­ing the bill pro­poses, and it doesn’t pre­vent cy­ber at­tacks as CISA claims,” wrote Robert Gra­ham, a se­cur­ity ex­pert and re­search­er, on his blog in March, when the bill was in­tro­duced. “On the oth­er side, be­cause of the false-pos­it­ive prob­lem, CISA does far more to in­vade pri­vacy than even pri­vacy ad­voc­ates real­ize, do­ing a form of mass sur­veil­lance.”

Sen. Ron Wyden, a Demo­crat from Ore­gon and a long­time sup­port­er of di­git­al pri­vacy in the Sen­ate, also said CISA would “have a lim­ited im­pact on U.S. cy­ber­se­cur­ity” in a March state­ment.

Wyden, the only mem­ber of the Sen­ate In­tel­li­gence Com­mit­tee to vote against the bill when it was passed in March, has called CISA a “sur­veil­lance bill by an­oth­er name” and has been act­ive on Twit­ter with the hasht­ag #Stop­CISA, cred­it­ing pri­vacy ad­voc­ates with pres­sur­ing Con­gress not to pass the bill.

If and when CISA goes in front of the Sen­ate — wheth­er it’s this month or in the fall — Wyden and his pri­vacy-minded al­lies will likely mar­shal a heated op­pos­i­tion to the meas­ure, fur­ther com­plic­at­ing its path to the pres­id­ent’s desk.

What We're Following See More »
European Commission President to Visit White House
1 hours ago

With President Trump back from a trip in which he seemed to undermine European alliances while cozying up to Vladimir Putin, the White House has announced that European Commission President Jean-Claude Juncker will visit on July 25. According to a statement, the two "will focus on improving transatlantic trade and forging a stronger economic partnership."

IRS Relaxes Reporting Rules for Dark Money Groups
1 hours ago
House Launches Investigation Into VA Nursing Homes
2 hours ago

"The House Veterans Affairs Committee has launched an investigation into care at the VA’s 133 nursing homes after learning the agency had given almost half of them the lowest possible score in secret, internal rankings. The probe follows an investigation by The Boston Globe and USA TODAY that showed 60 VA nursing homes ... rated only one out of five stars for quality last year in the agency’s own ranking system." Internal documents revealed that "patients in more than two-thirds of VA nursing homes were more likely to suffer pain and serious bedsores than their private sector counterparts, and that "VA nursing homes scored worse than private nursing homes on a majority of key quality indicators, including rates of anti-psychotic drug prescription and decline in daily living skills."

House Republican Introduces Net Neutrality Legislation
2 hours ago

Colorado Representative Mike Coffman has introduced a bill "that would codify free internet regulations into law" by instituting the "basic outlines of the Federal Communication Commission’s 2015 Open Internet order." Coffman's bill amends the 1934 Telecommunications Act by "banning providers from controlling traffic quality and speed and forbidding them from participating in paid prioritization programs or charging access fees from edge providers." The GOP congressman has also "signed on to a Democrat-led effort to reinstate the net neutrality rules that the FCC voted to repeal late last year."

DOJ Indicts Another Russian National
20 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.