Expectations Low for Cyber LegislationCybersecurity Measures Take Back Seat to Other Issues
Congress isn't ignoring cybersecurity as lawmakers return to Washington this week. But it's unlikely the House or Senate will vote on any significant cybersecurity legislation before they adjourn later this month in advance of the fall election.
Alhough no votes on cybersecurity bills have been scheduled, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing to look into the ties between cybersecurity and terrorism on Sept. 10. The same day, the House Armed Services Subcommittee on Intelligence, Emerging Threats and Capabilities will explore cybersecurity in the military services.
Cybersecurity is seen as a growing concern among lawmakers, but it pales when compared with other issues Congress must confront in the next few weeks, including funding the government for fiscal year 2015, which begins Oct. 1. Without enacting a so-called continuing resolution, the federal government would shut down. Other issues are grabbing senators and representatives attentions, too, such as the increasing threat posed by the Islamic State terrorist group in Iraq and Syria and the Russian-Ukraine conflict.
At this point in the legislative session, lawmakers - especially those up for re-election - either promote legislation that could help boost their re-election chances or do nothing, in order to cause no harm to their hopes to return to Congress next year. Despite a growing number of data breaches that have gained widespread attention, cybersecurity has yet to become an issue that candidates run on.
"Not many [lawmakers] know how this is really affecting their constituency," says Congress watcher Hord Tipton, executive director of the IT security certification organization (ISC)2 and a former Interior Department chief information officer. "This should soon become a campaign issue because people are hurting more with each passing session of Congress."
Because voters aren't demanding enactment of cybersecurity legislation, legislative leaders - especially in the Senate - don't feel pressured to bring these bills up for a vote.
"People have heard about cybersecurity - and don't like the breaches - but they don't feel like they understand it or have a strong opinion as to what to do about it," says Larry Clinton, president of the Internet Security Alliance, a trade association. "So, they are [not] pressuring their elected representatives to take action, because they are not sure what action to take."
Purdue University IT security expert Gene Spafford explains why cybersecurity legislation is unlikely to pass Congress this year.
In the current Congress, the Republican-led House passed a number of cybersecurity bills. One piece of legislation, known as the Cyber intelligence Sharing and Protection Act (see House Handily Passes CISPA), would encourage businesses to share cyberthreat information with the government. Another would reform the Federal Information Security Management Act, known as FISMA, the law that governs federal government information security (see FISMA Reform Passes House on 416-0 Vote). Those bills had received bipartisan support. But the Democratic-led Senate has not passed significant cybersecurity legislation in years.
Why so? The rules of Congress make getting bills through the Senate more difficult. "In the House, if the majority wants to move a bill, they pretty much can, whether they have bipartisan support or not," Clinton says. "In the Senate, virtually any senator can block a bill. Even bills with bipartisan support in the Senate have trouble getting on and off the Senate floor."
House cybersecurity bills generally are narrowly focused. In the Senate, the legislation often combines a number of measures into an omnibus bill, and that makes building a consensus harder to achieve.
The vast majority of provisions in cybersecurity legislation have wide support from members of both parties, from members of both chambers and the White House. But some bills contain a few provisions that are divisive, preventing legislation, such as reforming FISMA, from getting enacted.
Differing Views on DHS Role
House-passed legislation to reform FISMA did not contain provisions that would have elevated the Department of Homeland Security's role in enforcing cybersecurity standards on other federal agencies, an approach the White House favors. FISMA reform legislation before the Senate, which passed the Homeland Security and Governmental Affairs Committee (see FISMA Reform Heads to Senate Floor) contains those provisions, but some senators don't want to give DHS that authority. That has stalled the bill in the upper chamber.
Similarly, the House-passed version of cyberthreat information sharing legislation doesn't contain what the Obama administration considers sufficient civil liberties and privacy protections. The White House also contends that bill goes too far in providing liability protections to businesses that share cyberthreat information (see White House Threatens CISPA Veto, Again).
The Senate Intelligence Committee this summer passed behind closed doors its version of the bill, known as the Cybersecurity Information Sharing Act, with co-sponsor Sen. Diane Feinstein, D-Calif., contending it provides more privacy protections than the House-passed Cyber Intelligence Sharing and Protection Act (see Senate Panel OK's Cyberthreat Info Sharing Bill). Still, a top Obama administration official - and some senators - say CISA needs to have its privacy and civil liberties provisions strengthened. "Given some issues that the privacy community has raised, we need to take that into account as we ... work on the bill," a senior administration official says (see Why White House Hasn't Backed CISA).
Though CISA has moved to the full Senate, some members of the Senate Homeland Security and Governmental Affairs Committee might seek further review of the legislation, according to a Senate staffer with knowledge of the bill's legislative progress.
Who's At Fault?
Who's at fault for the Senate failing to act? Some critics of the administration says the White House could demonstrate more leadership in getting the Senate to move on cybersecurity legislation. "The lack of White House leadership means that the Senate leadership doesn't feel much urgency, and the opposition of privacy groups to serious cybersecurity measures provides enough friction that bills aren't making progress," says Stewart Baker, former assistant secretary for policy at the Department of Homeland Security in the Bush administration.
Major pieces of cybersecurity legislation before the Senate include the Federal Information Security Modernization Act that would reform FISMA; the threat-information sharing Cyber Information Sharing Act; the USA Freedom Act, legislation sponsored by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., which would end bulk collection of metadata; and the Data Security and Breach Notification Act, which would nationalize breach notification requirements.
The USA Freedom Act gained some traction last week when Attorney General Eric Holder and National Intelligence Director James Clapper endorsed it. But even with their backing, passage is far from assured. "Despite the retreat of the White House in favor of Sen. Leahy's bill, it remains a controversial issue that doesn't really have to be addressed before mid-2015," Baker says. "With this Congress, it's usually safe to assume that votes that don't have to be taken won't be."
Codifying Existing Practices
Though questions remain on whether major cybersecurity legislation can pass Congress, several narrowly focused, noncontroversial bills that breezed through the House in July could come up for a Senate vote before the election or they "might have to wait for the lame duck session," says James Lewis, who keeps tabs on government cybersecurity policy from his perch at the think tank Center for Strategic and International Studies.
Those bills include the National Cybersecurity and Critical Infrastructure Protection Act, which passed the House by a voice vote on July 28 (see How House Passed 3 Cybersecurity Bills). That measure, which had the backing of business organizations and the American Civil Liberties Union, a rare combination of supporters, would codify the National Cybersecurity and Communications Integration Center, an agency within the Department of Homeland Security that fosters real-time cyberthreat information sharing with critical infrastructure operators.
The two other cybersecurity bills passed by the House that day were the Critical Infrastructure Research and Development Advancement Act, which directs DHS to develop a strategic plan to accelerate research and development to protect the nation's critical infrastructure, and the Homeland Security Cybersecurity Boots-on-the-Ground Act, which would require DHS to develop occupation classifications for individuals performing cybersecurity activities.
But if history serves as a lesson, there will be very little action on significant cybersecurity legislation before the election or even in the lame-duck session.