Congress almost certainly won’t pass any kind of major cybersecurity legislation in 2013, according to industry officials, lobbyists and others who track the issue.
Protecting the nation’s cyber infrastructure has been a top priority for the White House and many lawmakers, but the legislative effort has been done in by fugitive intelligence contractor Edward Snowden’s leaks, a crowded congressional agenda, differing views over the role of the Department of Homeland Security and affiliated organizations, and a wait-and-see approach to an executive branch cybersecurity initiative that won’t be wrapped up until next year.
Lawmakers are still likely to keep discussing cybersecurity, and the legislative push could get revived in 2014. The U.S. Chamber of Commerce is holding its second annual cybersecurity summit Wednesday, and another summit is happening the same day at the National Press Club.
Leaders of the Senate Homeland Security and Governmental Affairs Committee are working together to come up with bipartisan legislation. A House Homeland Security subcommittee last week approved a smaller cybersecurity bill (HR 3107) that would seek to strengthen the government’s cybersecurity workforce, and the committee as a whole is working to write broader legislation.
But that broader House Homeland Security draft bill is an example of some of the hurdles in the way of enacting a cybersecurity measure this year.
Chairman Michael McCaul, R-Texas, has acknowledged that the bill slipped off the schedule this summer after the uproar over Snowden’s revelations about National Security Agency programs. And it has encountered resistance from some in the industry who oppose language that they fear would federalize sector coordinating councils — private sector organizations that frequently partner with the Department of Homeland Security.
Some in industry, such as Larry Clinton, president and CEO of the Internet Security Alliance, would prefer that Congress hold off on aspects of cybersecurity legislation until the Obama administration completes work on its cybersecurity framework, a voluntary initiative meant to incentivize protection of critical computer systems by their private sector owners.
“I think that it is unlikely that we’re going to see serious legislative activity in this calendar year,” Clinton said. “The real activity is not going to happen until after the framework is finalized, and that doesn’t come until February, 2014.”
After that, there could be a legislative push in a variety of directions depending on how the framework turns out — such as for a more regulatory approach, or for incentives that the administration can’t put in place without Congress’ help, said Clinton. In the meantime, Clinton said Congress could hold hearings on aspects of the framework in preparation for winter action.
Most in industry do back passage of legislation that would bolster cybersecurity threat information sharing between businesses and the federal government, but they also concede — as many lawmakers, aides and analysts do — that the Snowden revelations have made Congress leery of taking up the cause of legislation that has been characterized by opponents as something that would put more private U.S. citizen information in the hands of spy agencies.
The Chamber of Commerce will “continue to push for legislation that would direct the government to share timely, reliable, and actionable information on cyber activity with business owners and operators, while ensuring that cybersecurity policies don’t create burdensome regulations or new bureaucracies,” chamber President Thomas J. Donohue wrote in an online commentary this week. “If we work together to tackle this national priority, we can strengthen the security of businesses, communities, our economy, and the country.”
In the meantime, the chamber, too, is closely following the development of the cybersecurity framework by the Commerce Department’s National Institute of Standards and Technology, as directed by an executive order President Barack Obama signed at the start of the year.
“NIST has been a constructive partner and is doing a good job developing the cybersecurity framework,” said Ann Beauchesne, the chamber’s vice president of National Security and Emergency Preparedness. “The chamber will continue to push policymakers to implement the framework in a way that is flexible and collaborative in practice.”
The House passed an information sharing bill (HR 624) in the spring, before the Snowden revelations. Since then, the leaders of the Senate Intelligence Committee have continued to work on their own information sharing bill but have been focused in recent months on the prospect of a military strike on Syria and on the NSA matters that are the subject of the Snowden leaks, according to a committee aide. The panel also saw a key staffer working on cybersecurity depart for a job in the Obama administration.
On the Senate Homeland Security and Governmental Affairs panel, Chairman Thomas R. Carper, D-Del., and ranking Republican Tom Coburn of Oklahoma have been exploring legislation that could include changes to the government’s efforts to secure its own computer networks and codification of the cybersecurity role of the Homeland Security Department.
But Coburn has been a skeptic of the department’s capabilities and competence, although both sides appear to be making a sincere effort to find common ground.
“Chairman Carper continues to work closely with his colleagues in the Senate and House, especially Dr. Coburn, on bipartisan legislation that will address the very serious cyber threats facing our country,” a committee spokesperson said. “Crafting such a measure is no easy task, but Chairman Carper will continue to work aggressively to find a solution to this ever growing problem as soon as possible.”
Senate Commerce, Science and Transportation Chairman Jay Rockefeller, D-W.Va., also was bullish on cybersecurity prospects. Last year, a bill he co-sponsored encountered opposition from Republicans and industry groups who contended the voluntary security standards in the bill for critical infrastructure owners were more regulatory than its backers claimed. The legislation never passed the Senate.
“It’s always rough because other things always overshadow it, which they shouldn’t,” he said Tuesday. “I think it’s better than it has been because the Chamber of Commerce has sort of backed off a little bit. They literally killed it last year, single-handedly killed it.”
Rockefeller said the plan by Senate Majority Leader Harry Reid, D-Nev., is still for each committee to produce legislation that can be joined into one.
Rockefeller’s own committee approved legislation (S 1353) in July that would codify NIST’s role in the executive order and seek to bolster cybersecurity research and development and education. And he said senators shouldn’t let concerns about the Snowden leaks influence the need to act on cybersecurity.
“You can’t take that attitude,” he said. “It’s much bigger than that.”