Communications Litigation Today was a Warren News publication.
Smaller Bills Could Pass

Limited Hill Prospects for Cybersecurity Bills Seen for 2014

After Congress ended 2013 without enacting any major legislation to bolster cybersecurity, industry observers told us in interviews they see limited prospects for progress on such bills in 2014. Congress passed two spending bills that included some cybersecurity language, but did not complete consideration of marquee legislation addressing the issue, including the House-passed Cyber Intelligence Sharing and Protection Act (HR-624) and the Cybersecurity Act of 2013 (S-1353).

The telecom industry is continuing to push for Senate action on CISPA via the long-anticipated companion bill that Senate Intelligence Committee Chairwoman Dianne Feinstein, D-Calif., and committee ranking member Saxby Chambliss, R-Ga., have been writing, said Telecommunications Industry Association General Counsel Danielle Coffey. The telecom industry has always supported CISPA, and those at a recent TIA meeting “reiterated over and over again that it’s really the bilateral sharing of this information [that] helps with cyber hygiene,” Coffey said. “In moving it over to the Senate, it obviously gets more complicated because of all of the committees that have jurisdiction, all of whom are tackling piecemeal pieces of the bill. But we're going to focus on the Feinstein legislation -- that’s where most folks are focusing their attention.”

The Feinstein-Chambliss bill has remained in limbo for months, and a Senate Intelligence aide told us Thursday there was no new update available on the bill. The delay is in part due to some advocacy groups’ resistance to the bill, Coffey said. Although the White House and Senate leaders were already dubious of major elements of CISPA when the House passed the bill in April, resistance has grown stronger because of the NSA surveillance scandal, said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program. Passage of a bill like CISPA “that uses incentives to improve an aspect of our nation’s cybersecurity would be a step forward, but I don’t really see that happening in the Senate,” said Internet Security Alliance President Larry Clinton. The Feinstein-Chambliss bill itself “is now completely on hold” because of the National Security Agency scandal, Lewis said. Discussion of parts of CISPA might move forward, but “until Congress works through NSA oversight issues, I think progress on cybersecurity will remain slow.”

The prospects for cybersecurity legislation in 2014 might be “only slightly” better than in 2013 because of recent data breaches that have received widespread attention, said Ross Schulman, Computer and Communications Industry Association public policy and regulatory counsel. “The NSA revelations are not making it any easier, particularly for any plan that suggests involving the NSA in cybersecurity in any way,” he said. “But the Target data breach and breaches like that could make things easier. We've seen breaches in the past, but the Target breach is on a different level. This is affecting people on a day-to-day basis, and I think congressmen are going to see that.” Schulman said he believes Congress could pass narrowly targeted legislation on controversial issues like information sharing “if it’s done right -- if it doesn’t involve the NSA and gives companies the legal protection they need to share non-personally identifiable information. If Congress focuses on these narrow fixes, that’s where they have a best chance of getting something done. It’s when they try to tackle all of cybersecurity’s issues in one big bill that they have trouble getting things done."

TIA also remains supportive of S-1353, Coffey said. The bill’s language ultimately did not make it into the version of the National Defense Authorization Act that President Barack Obama signed in late December. Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., had offered the bill’s language on the floor as an amendment in late November, with the support of other Senate Democratic leaders (CD Nov 22 p19). A Senate aide said the Senate was unlikely to act on S-1353 “without the Intelligence Committee having done their pieces and moving together.” Ultimately, the NDAA included only cybersecurity provisions that deal with expanding support for the U.S. Cyber Command and other Department of Defense cybersecurity priorities. Those provisions were “very much inside baseball,” Lewis said. “It doesn’t really change the overall picture for cybersecurity."

Smaller bills do have a chance of getting through Congress by June, most notably the National Cybersecurity and Critical Infrastructure Protection Act (HR-3696), introduced in mid-December by House Homeland Security Committee Chairman Michael McCaul, R-Texas, and the rest of the committee’s top leadership, industry observers said. The bill would codify the Department of Homeland Security’s existing collaboration efforts with the private sector, including information sharing regarding cyberthreats, but would not give the agency new powers. The bill would, however, allow expanded liability protections for cybersecurity (CD Dec 13 p21). HR-3696 has been “pretty well received and is not particularly controversial,” Lewis said. The bill is likely to pass through House Homeland Security due to bipartisan committee support, and could even pass the House, “but I'm dubious as to whether it would be processed in its current form throughout the entire congressional process,” Clinton said. “And in any case I don’t see it as having a substantial impact on U.S. cybersecurity even if it did."

Cybersecurity workforce bills are also likely get renewed attention in 2014, including the Cybersecurity Recruitment and Retention Act, observers said. The Senate Homeland Security Committee postponed a planned Dec. 18 markup of the bill, which has yet to be publicly introduced, but observers told us they expect action on the bill soon. House Homeland Security cleared a pair of cyber workforce bills in late October (CD Oct 30 p7), which observers said the House may act on during the first half of the year.

The NSA scandal “has certainly made processing cybersecurity legislation much more difficult, but I think there is also a general ‘wait and see attitude’ related to President Obama’s cybersecurity executive order,” Clinton said. The order initiated the National Institute of Standards and Technology’s ongoing collaboration with industry to produce the voluntary Cybersecurity Framework (CD Feb 14 p1). NIST is revising a preliminary version of the framework and plans to release a final version in mid-February. “Even after the framework is finalized, I think that ‘wait and see attitude’ will continue with respect to whether it will have any effect,” Clinton said. “Obviously there are a number of other aspects of the order, and these have not made nearly the progress that the framework has made, so we're not going to see the order’s full effect until well into 2014 -- if at all.”

TIA would also support legislation creating new incentives to encourage industry compliance with the cybersecurity executive order, Coffey said. New incentives would “really put some teeth into what they're doing,” she said. The White House has been exploring possible incentives, but incentives that would require legislation, such as liability protections or financial incentives, “are not in the cards right now,” Lewis said.

With the exception of CISPA, “we are seeing extremely old-style thinking and modest steps being taken,” Clinton said. The modest nature of most cyber bills and “generally superficial” oversight hearings on implementation of the cybersecurity executive order show that Congress has “generally not done the really serious work that needs to be done to truly understand the nature of the cybersecurity problem that we face,” he said. “There’s a lot of hard, fundamental work that needs to be done with the members of Congress so they can begin to attack this incredibly serious problem with incredibly serious solutions.” But that lack of a “matured understanding” of cybersecurity is understandable because many members do not have the same long-term knowledge of the issue as they do for telecom reform or similar tech issues, Clinton said. “I think they are becoming aware that there is an issue, but I don’t think they've had time yet to truly understand why cybersecurity is different than traditional telecom issues and why it needs to be approached in a fundamentally different fashion.”