Prospects Dim for Cybersecurity BillsInfoSec Not a High Priority in Waning Days of 113th Congress
Rep. Mike McCaul worked hard - an "ordeal," in his words - to get the House of Representatives to pass the National Cybersecurity and Critical Infrastructure Protect Act earlier this year, getting conservative trade groups and the liberal American Civil Liberties Union to back the bill.
See Also: The Business Email Compromise Handbook
"We went through countless drafts and hours of negotiations to bring this common-sense legislation to the floor," bill sponsor McCaul, the Texas Republican who chairs the House Homeland Security Committee, said after the July passage of the bill (see How House Passed 3 Cybersecurity Bills). The bill, if enacted, would codify the National Cybersecurity and Communications Integration Center, an agency within the Department of Homeland Security that fosters real-time cyberthreat information sharing with critical infrastructure operators
Because some of the legislation being considered does enjoy fairly broad support, they could represent early wins for Republicans.
But all of McCaul's hard work - and the tough grind of other legislators and staffers working on cybersecurity legislation - apparently will have been for naught. After big Republican wins in the November election, Congress returns to Washington this week in the waning days of the 113th Congress. Yet pending legislation addressing a number of cybersecurity matters are likely to die.
Among the bills expected to succumb by year's end are legislation to promote the sharing of cyberthreat information between government and business; direct DHS to develop a strategic plan to accelerate research and development to protect the nation's critical infrastructure; and require DHS to develop occupation classifications for individuals performing cybersecurity activities
A Safe Wager
Barring a catastrophic cyberattack in the next few days to motivate lawmakers to act, Good Harbor Consulting Cybersecurity Principal Jacob Olcott doesn't expect votes on any cybersecurity bill for the remainder of the current Congress. "If I'm betting, I'm betting that folks will try to pick things up where they stand at the beginning of next year," says Olcott, the former counsel of the Senate Committee on Commerce, Science and Transportation.
Taking precedence over cybersecurity lawmaking in the coming weeks will be passage of stopgap legislation to fund the federal government after Dec. 11 to prevent a government shutdown. Still, even without the need to fund the government, votes on key cybersecurity bills would be highly unlikely.
First off, there's just not enough time to iron out differences between House and Senate versions of similar legislation. Take, for instance, measures to reform the Federal Information Security Management Act, the law that governs federal government IT security. Strong, bipartisan support exists for FISMA reform. The Senate bill, which cleared the Homeland Security and Governmental Affairs Committee, has never been scheduled for a vote by the full chamber (see FISMA Reform Heads to Senate Floor). That bill codifies the current administration practice of granting the Department of Homeland Security sway over the implementation of IT security practices in other civilian agencies. No such provision exists in the House bill, which unanimously passed last year (see FISMA Reform Passes House on 416-0 Vote).
Agreement on Concept, Not Details
Lawmakers from both parties generally agree that a need exists for a national data breach notification act that would supplant 47 separate state laws. In the last four Congresses, the Senate Judiciary Committee has approved bipartisan data breach notification legislation, although none of the bills ever came up for a vote by the full Senate (see U.S. Data Breach Notification Law Unlikely in 2014).
That's partly due to the inability of lawmakers to agree on what the provisions of a national law should be. For instance, Sen. Patrick Leahy's bill would require notifications of individuals of a breach within 60 days; another measure would set notification within 30 days and still another would require notification "without reasonable delay." A fourth bill doesn't specify a time but would leave that up to regulators as long as it's done quickly.
It's not just failure to agree on provisions that have prevented votes. Leahy, the Vermont Democrat who chairs the Judiciary Committee, had to pick and choose what bill to push in the closing days of Congress. Instead of data breach legislation, Leahy decided to put his energy into getting passed the USA Freedom Act, which would rein-in the National Security Agency's bulk collection program, an effort that failed. "There's limited floor time, and the Judiciary chairman has to pick his spot," says Peter Swire, senior fellow at the Future of Privacy Forum, a Washington think tank that advocates responsible data practices.
Wait Till Next Year
Is working out the differences in the language of various cybersecurity bills insurmountable? Of course not. But given the limited amount of time left this year and that the Republicans will control both houses of Congress beginning in January, enacting of cybersecurity legislation will wait.
And, perhaps, the Republicans might seek compromise early next year on a piece or two of cybersecurity legislation to prove they can govern. Olcott sees "passing something" as a potential priority for Republicans in the next Congress. "There always a chance at the beginning of the session to establish your priorities," he says. "And, because some of the legislation being considered does enjoy fairly broad support, they could represent early wins for Republicans to show that, 'Hey, we're working together in the House and the Senate and we can pass something together.'"
But even early wins will require a lot of hard work.