Obstacles Facing Info Sharing BillGetting Cybersecurity Legislation Passed Isn't Easy
With the Senate Intelligence Committee overwhelmingly approving the Cybersecurity Information Security Management Act, common wisdom dictates and high school civics classes suggest the bill will head directly to the Senate floor. Not so fast.
Sure, the full Senate could be the next destination of legislation to facilitate the government and the private sector to share voluntarily cyberthreat information, but that isn't necessarily the case.
The original language ... was actually worse than CISPA, worse than we saw that passed out of the House.
Plenty of obstacles could block the path of the bill that won overwhelming, bipartisan support in a vote by the committee behind closed doors on July 8 (see Senate Panel Ok's Cyberthreat Info Sharing Bill).
Other committees with IT security oversight might ask to consider the bill, too. The White House could issue a veto threat. Also, the clock is ticking. There aren't many legislative days left this year, a calendar cut short by the midterm election. Many members of Congress are more interested in getting re-elected than legislating.
And even if the cyberthreat intelligence bill passes the Senate, a conference committee would have to iron out the differences between the Senate bill, CISA, and the Cyber Intelligence Sharing and Protection Act, or CISPA, which passed the House last year.
Among the reasons Congress has failed to enact a significant cybersecurity bill in a dozen years is that there are just too many committees - and their chairs - who seek to influence legislation. Besides the Intelligence Committee, the Armed Services; Commerce, Science and Transportation; Homeland Security and Governmental Affairs; and Judiciary committees have jurisdiction over portions of cybersecurity. Plus, the Senate Energy and Natural Resources Committee seeks to have sway overseeing securing the power grid.
It's rare that more than one Senate committee would hold a markup session, in which a committee amends and votes on a specific bill. (Multiple committees marking up bills in the House isn't unusual.) But several Senate staffers say another committee or two could seek permission from the Senate parliamentarian to also mark up CISA.
Other Panels' Claims
A logical argument could be made for the Homeland Security and Governmental Affairs Committee to review CISA. After all, the legislation tasks DHS with many of the responsibilities for implementing the act, and the committee has oversight over the department.
The Judiciary Committee also could stake a claim to the bill because it oversees antitrust laws, and provisions in CISA deal with liability protections afforded to businesses sharing information that could be seen as violating antitrust laws.
A Judiciary spokeswoman says Committee Chairman Patrick Leahy, D-Vt., doesn't rule out seeking a markup session for CISA, but at the moment, it's not his priority; he's focused on winning passage of the USA Freedom Act, legislation aimed at ending the bulk collection of Americans' metadata.
Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., has expressed no interest in holding a markup on the cyberthreat sharing bill. In referring to his own cybersecurity bill, he said earlier this year: "I'm confident that others will follow our lead and develop their own bipartisan bills with key elements, including information sharing, that will complement our work to help strengthen and improve our economic and national security."
The bill's sponsors, Sens. Dianne Feinstein, D-Calif., and Saxby Chambliss, R-Ga., seem convinced the Senate floor is CISA's next destination, not another committee, telling reporters the compromise-filled bill was by nature imperfect, but they were hopeful it could pass the Senate and move through conference with the House by the end of the year, according to the news site Politico.
Uncommon Way to Draft a Bill
One of the oddities of CISA is that the Senate Intelligence Committee approved the bill before it was formally introduced. The panel voted on a draft of the bill that circulated among panel members, as well as a series of amendments. An official version of the bill is expected to be introduced this week. The parliamentarian decision on which committee or committees would have jurisdiction over the legislation will come after it's officially introduced. (On July 10, the committee issued the official version of the bill.)
Because few have had time to read - and analyze - CISA, it's unclear whether it differs much from CISPA, which the administration has twice threatened with a presidential veto (see White House Threatens CISPA Veto, Again). Based on comments made by the bill's sponsors, critics of CISPA say they fear CISA is very similar. "The original language did not differ much from CISPA," says Mark Jaycox, a legislative analyst for the Electronic Frontier Foundation, a civil liberties advocacy group. "It was actually worse than CISPA, worse than we saw that passed out of the House."
On key bills, the White House often issues a statement of administration policy, which explains why or why not the administration supports a particular measure, and what changes they seek if they oppose the legislation. In 2012 and 2013, the White House used statements of administration policy to threaten to veto CISPA, contending the House-approved bill, which had strong bipartisan backing, didn't furnish sufficient privacy protections and provided liability protection that the White House deemed too broad.
An administration veto threat of CISA could be its death knell. There might not be enough time left in the current Congress - or inclination among lawmakers - to reach a compromise with the president or with the House in a conference committee to resolve differences.
Little wonder significant cybersecurity legislation hasn't passed the Congress since 2002.