Info-Sharing Bills: What Happens Next?Obama's Stand on Two Measures Could Affect Their Fate
As the House prepares to vote this week on two cyberthreat information sharing bills, their fates will rest as much on the White House's reaction to the proposals as on what happens in Congress.
See Also: What is next-generation AML?
The House Rules Committee on April 21 will consider amendments to both bills, the Protecting Cyber Networks Act that the Intelligence Committee approved on March 26 in a secret session (Cybersecurity Bills: Latest Developments) and the National Cybersecurity Protection Advancement Act that the Homeland Security Committee passed unanimously on April 14 (see House Panel Passes Cyberthreat Info-Sharing Bill). A vote by the full House is slated to occur on April 23 for the Intelligence Committee version of the bill and on April 24 on the Homeland Security version.
Although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what President Obama seeks than did CISPA.
Before the floor votes take place, the White House could issue a Statement of Administration Policy, which provides the administration's view on whether President Obama should sign or veto the legislation. The administration usually issues SAPs after a committee approves the bill but before the full chamber votes on it.
The House in the past two congresses had passed cyberthreat information sharing bills, both known as the Cyber Intelligence Sharing and Protection Act, or CISPA, and in each case the White House threatened a presidential veto (see White House Threatens CISPA Veto, Again). The administration, in both instances, contended the legislation failed to provide sufficient privacy and civil liberties safeguards for citizens' personal information while furnishing businesses with too broad liability protections when they voluntarily share cyberthreat information with the government and each other.
For the White House, the Intelligence Committee version of the information sharing bill could prove more problematic. It's closer to CISPA than is the Homeland Security Committee's version and has attracted the wrath of civil liberties and privacy advocates. The Protecting Cyber Networks Act would allow the sharing of citizens' information with intelligence agencies such as the National Security Agency and law enforcement.
On the other hand, the Homeland Security Committee's National Cybersecurity Protection Advancement Act incorporates language that explicitly states that sharing such information with intelligence and law enforcement agencies would be prohibited, except if it should help mitigate a cyber-attack. Some privacy experts contend that even with that proviso, some private information could find its way to intelligence and law enforcement agencies.
Added Privacy Protections
Still, the National Cybersecurity Protection Advancement Act has been amended to provide many more privacy and civil liberties' protections to citizens than does the Intelligence Committee's bill. And both bills furnish businesses with broad liability protections that would extend such safeguards to companies even if they choose not to share cyberthreat information with the government. It's unclear whether changes that appear in these bills pass muster with the administration and address its concerns regarding privacy and civil liberties' safeguards and business liability protections.
Businesses want those broad protections, and the Financial Services Roundtable, a banking industry lobbying group, has posted a Web advertisement, titled Stop Cyber Threats, calling on voters to lobby Congress to take swift action on cyberthreat sharing legislation.
It's likely, but not inevitable, that if the White House issues an SAP on the Protecting Cyber Networks Act, it would say that senior administration officials would recommend an Obama veto. As for the National Cybersecurity Protection Advancement Act, it's less clear what the White House will say. The committee members did meet many of the objections raised over CISPA regarding privacy and civil liberties' projections, although the bill doesn't seem to meet the concerns raised about broad liability protection.
What Will Obama Do?
Remember, lawmaking involves compromise, and although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what Obama seeks than did CISPA, and the president might support it, perhaps conditionally.
Of course, the Senate has to take action as well.
On March 12, the Senate Intelligence Committee approved a bill more similar to the Protecting Cyber Networks Act from its House counterpart than the National Cybersecurity Protection Advancement Act offered by the House Homeland Security panel (see Senate Intel Panel OKs Info-Sharing Bill). Senate Majority Leader Mike McConnell, R-Ky., says he hopes to bring that measure up for a vote shortly, though he provided no specific timeframe.
Sen. Ron Wyden, D-Ore., the only Senate Intelligence Committee member who voted against the bill in committee, said last week that "a good group of senators" seeks to amend the measure to add privacy protection when it comes up for a vote before the entire Senate, according to The Hill.
Limits of Executive Order
Obama earlier this year issued an executive order to establish a process for businesses to share cyberthreat information through the Department of Homeland Security's National Cybersecurity & Communications Integration Center (see President Obama Grapples with Cyber Challenges). But Obama on his own cannot provide businesses with the protection from legal actions for sharing cyberthreat information; that requires a new law enacted by Congress.
Passage of both House bills in the lower chamber is almost a certainty, and if - and that's a big if because the Senate never voted on a cyberthreat information sharing bill in the past two congresses - the upper chamber approves information sharing legislation, a conference between the House and Senate would iron out differences among the various measures, and produce a final bill. By then, the president's views on how far he'd compromise would be known, and a bill acceptable to the House, Senate and White House could become law.