Breaking Congress' Cyber Legislation LogjamRepublican Majorities in Senate, House Could Spur Action
"While the House has worked with great success to pass four cyber bills with unusually strong bipartisan support, they've been stymied each time by a Senate that won't bring any of these bills up for a vote," says Steven Chabinsky, chief risk officer for cybersecurity firm CrowdStrike and former deputy assistant director for cyber at the FBI. "The midterm results could change that."
The midterm election on Nov. 4 gave Republicans a solid majority in the Senate, and expanded their majority in the House of Representatives (see Impact of GOP Win on Cyber Lawmaking).
In the current Congress, Senate Majority Leader Harry Reid, D-Nev., has yet to schedule votes on a number of cybersecurity-related bills that have cleared Senate panels. One of those bills is the Cybersecurity Information Sharing Act, which the Senate Intelligence Committee approved in a secret vote last summer (see Senate Panel OK's Cyberthreat Info Sharing Bill).
A number of other bills focused on government IT security have reached the Senate, but have not been brought up for a vote, including the Federal Information Security Modernization Act, the bill that the Senate Homeland Security and Governmental Affairs Committee approved in June (see FISMA Reform Heads to Senate Floor). That measure would reform the 12-year-old Federal Information Security Management Act, the law that governs federal government IT security.
Fear of Filibuster
Reid's experience in 2012 might have given him cold feet in bringing up bills unless he knows the 60 votes needed to defeat a filibuster exist. In the 112th Congress, when Reid brought up the Cybersecurity Act of 2012 for the vote, the bill's supporters couldn't muster sufficient votes to end a Republican-led filibuster (see Senate, Again, Fails to Halt). That bill would have encouraged business to voluntary adoption a series of IT security best practices, provisions the measure's opponents argued could lead to regulation, an anathema to most Republicans.
With Republicans in charge of both houses beginning in 2015, lawmakers with kindred spirits and governmental philosophies could more easily reach consensus on cybersecurity legislation that has so far stalled in Congress.
Take FISMA reform, for instance. The House-passed FISMA reform bill and the similar measure that the Senate committee approved contain provisions to change how government agencies assure IT protection by relying on new technologies and processes rather than the FISMA-required checklist approach aimed at assuring proper security controls are in place. But the Senate bill - backed by President Obama - also would grant more authority to the Department of Homeland Security to oversee IT security implemented at civilian agencies, provisions absent in the House bill. That's because some Republicans believe DHS neither has the wherewithal nor credibility to do the job of securing IT at civilian agencies.
Conceivably, in the new Congress, FISMA reform could be passed without an expanded role for DHS. Then, it would be up to Obama whether to sign the legislation. "I have never understood why FISMA reform hasn't passed," says Larry Clinton, president of the trade group Internet Security Alliance. "The White House certainly ought not to stand in the way of these needed reforms."
FISMA reform, at first glance, seems like low-hanging fruit Congress can take because of widespread agreement among lawmakers about the weakness of the current law that's seen as too focused on compliance rather than on IT security. But potential deep divisions could be found in the details of a new FISMA law, says Gerald Ferguson, who tracks congressional action as co-leader of the national privacy and data protection team at the law firm BakerHostetler.
"Agencies with the budgets already constrained by sequestration may not be in a position to make a further investment cybersecurity without further appropriations, which a Republican Congress looking to balance the budget may be unwilling to provide," Ferguson says.
And lawmakers would have little political motivation to revise FISMA. "FISMA reform is inside baseball and, therefore, less in the public eye," says Alan Raul, founder of the privacy and data security law practice at the law firm Sidley Austin. "It's not to say it isn't extremely important and shouldn't be considered but the imperative to get it done is a little lower. The opportunity for taking credit and expressing great satisfaction is a little lower."
Focus on Constituent-Friendly Bills
Instead, in the new Republican-led Congress, Raul sees lawmakers being more interested in addressing legislation to nationalize data breach notification and spur cyber-threat information sharing between government and business and among businesses because of growing demand by their constituents for such laws.
Many businesses seek a national data breach act because it would be easier for them to comply with one statute than with the 47 different state laws now on the books. Indeed, on Nov. 6, a coalition of 44 retail associations on sent a letter to the Democratic and Republican leaders of both houses urging Congress to enact a national data breach notification law that would cover all industries, including financial services. "Exemptions for particular industry sectors not only ignore the scope of the problem but create risks criminals can exploit," the letter says.
And therein lies a problem, even when most lawmakers agree legislation is needed: What provisions would be in the legislation? With breach notification, there is yet no consensus on defining what types of breaches warrant notification and to whom and what penalties should be enforced if notice isn't properly given. "Republicans will be looking for a national notification law that insulates business from suits," Internet Security Alliance's Clinton says. "If such a law gets past a filibuster in the Senate, it will not be signed by the administration."
Similarly, there's widespread agreement in Congress and the administration for the need for cyber-threat information sharing legislation, a measure businesses say is necessary to provide them the legal protection to share threat signatures and other information about cyber-attacks. But the White House has threatened to veto the House-passed Cyber Intelligence Sharing and Protection Act, citing privacy concerns and what it perceives as too broad liability protections (White House Threatens CISPA Veto, Again).
Narrowing Political Chasms
Still, the political chasms over specific provisions in these bills aren't so wide that they can't be traversed. Republicans, to prove they can govern and that government needn't be dysfunctional, will look for legislation that can win bipartisan support - unlike, say, more contentious immigration reform. "Cybersecurity can represent that common ground," says Samuel Visner, senior vice president and general manager at the management consultancy ICF International. "The need for cybersecurity is evident; resolving ways to meet that need that accord with privacy concerns remains tough, but not impossible, and there is likely to be some appetite for progress."
Besides, Raul says, cybersecurity as a political issues a not overtly partisan. "There is very substantial agreement on both sides of the aisle," he says. "The differences here are much smaller than the area of agreement. And what has held up legislation to date has been the divide between the House and the Senate more than anything else."
That divide ends on Jan. 3 when the new, Repubican-majority Congress convenes.