House Approach to Cyber-Threat Bill Offers Clues to Fate in Senate
Backers of a controversial cyber-threat information-sharing bill overcame a White House veto threat and vocal criticism from privacy and civil liberties groups to push it through the House last month by a resounding margin.
Now, as the Senate begins to assemble its own bill, there are some signs in the House process of how it might go in the higher chamber — but there are also indicators of additional obstacles it will face.
The House legislation (HR 624) won more votes April 18 than the previous version did last year: 288, compared with 248.
The bill, commonly known by its acronym CISPA, is now closer to Senate language from last year that critics of the House bill and President Barack Obama’s administration found more favorable. The question is what kind of influence the White House will have going forward because of its veto threat, and whether the increased number of Democratic votes for the House bill will have any sway over what the Senate does.
“I was quite disappointed that they made that threat considering they were at the table with the refinements made to the bill,” said Rep. Terri A. Sewell, D-Ala., a member of the House Intelligence panel.
One industry lobbyist, though, said that despite the White House’s veto threat confusing so many backers of the legislation, it did spell out where there was common ground and where there wasn’t.
“While there was a line in there on threatening a veto, it also described parts of the bill they liked and things that they thought needed tweaking going forward,” the lobbyist said.
The House bill’s sponsors, Intelligence Chairman Mike Rogers, R-Mich., and top committee Democrat Rep. C.A. Dutch Ruppersberger of Maryland, plan to meet next week with their Senate counterparts to discuss the senators’ own planned information sharing legislation.
And the White House expects to be involved in bicameral discussions.
“We just want to make sure we’re open and ready to participate in the process as the Senate moves forward and working between the houses to produce a conference bill,” Michael Daniel, the White House cybersecurity coordinator, told CQ Roll Call.
The Veto Threat
After smarting from last year’s veto threat, Rogers and Ruppersberger engaged the White House early and often this year in a bid to avert a repeat.
According to a Hill staffer involved in managing the process, the White House put five issues on the table that needed to be addressed: language allowing agencies to share information for “national security” purposes; a requirement that the government limit the impact on privacy and civil liberties of the sharing of cyber-threat information, via procedures known as “minimization;” provisions on information being shared through a civilian, rather than military or intelligence, agency; the scope of liability protections for industry that share threat data; and a requirement that the private sector make a “reasonable effort” at minimization of “personally identifiable information,” such as Social Security numbers or financial records.
By the staffer’s estimation, the committee obliged the White House on three and a half of those five issues — national security purposes, mandatory government minimization, civilian information sharing, and in part, liability protections.
Critics saw it differently; Michelle Richardson, legislative counsel in the American Civil Liberties Union’s Washington office, said the language on information sharing through a civilian agency, for instance, still allowed businesses to share directly with military and intelligence agencies even though it designated the Departments of Homeland Security and Justice as “lead” agencies.
By the sponsors’ reckoning, it couldn’t address every issue without losing industry support. In an April 10 letter, a coalition of business groups including the U.S. Chamber of Commerce warned that the private sector minimization proposal by Rep. Adam B. Schiff, D-Calif., would be a significant impediment for small businesses trying to share information with the government.
A senior administration official, however, contended that none of the changes the White House wanted would have hampered information sharing, and that the administration has reached out to businesses to discuss ways they could implement minimization procedures.
Nonetheless, the changes won over many Democrats. The civilian agency language came via a last-minute addition worked out between Rogers and Ruppersberger with the leaders of the House Homeland Security Committee, Chairman Michael McCaul, R-Texas, and ranking Democrat Bennie Thompson of Mississippi. The language appeared to swing some members of that committee to a “yes” vote, in particular.
None of it swayed the White House. Before the McCaul-Thompson amendment, the White House issued a statement of administration policy spelling out the veto threat. Even after the amendment, the administration did not significantly change its position, although a senior administration official said it was a “step in the right direction.”
“The committee was quite surprised by it,” Sewell said.
Ruppersberger, at least, said he wasn’t surprised, because the sponsors didn’t make every change the White House wanted.
But privately, many backers of the bill fumed.
“Folks were frustrated about the veto threat,” said one industry lobbyist. The sentiment was, according to the lobbyist, “We want your support. If you put value in passing an information sharing bill, at least don’t threaten to veto the darn thing.”
Those who weren’t upset were confused by what the White House had to gain with the veto threat. Another industry lobbyist speculated that the administration was trying to “throw a bone” to liberal Democrats who had become very critical of the administration’s record on national security issues related to privacy and civil liberties.
Richardson said she doubted the White House was all that interested in placating its civil liberties critics, because it hadn’t budged on many of those criticisms to date. But maybe they got through this time.
“Yes, we pushed them very hard. The Internet organized around these issues, and there were hundreds of thousands of calls to the Hill,” Richardson said. “I hope they were influenced. It’s not only the corporations that are supposed to have a voice in process.”
But overall, the administration had little to gain by standing in favor of privacy and civil liberties, she said: “I honestly think it is sincere up there.”
After working hard to address some of the administration’s concerns, the Hill staffer said the veto threat undercut bill supporters’ desire to work with the White House going forward.
Ruppersberger, for his part, said “I don’t think there were hard feelings at all. There were hard feelings after the first bill.” He said the White House has been in touch about wanting to keep lines of communication open.
And a second senior administration official said the White House had no ulterior motive with its veto threat.
“From our perspective, really the issue is that at the end of the day we had to express our opinion on the bill that came out of committee,” the official said. “There were some issues with that version of the bill that made it so the president’s senior advisers could not recommend he sign such a bill.”
Ruppersberger said he hoped that the big margin on the House bill would show the Senate that the proposal has momentum.
Senate Intelligence Chairwoman Dianne Feinstein, D-Calif., said what happened in the House won’t impact the legislation she’s working on with her vice chairman, Saxby Chambliss, R-Ga.
The House bill “is not going to go anywhere,” she said last week.
Chambliss said he saw value in the House proposal, and one of the things he would change could cause greater dismay in the White House.
“There’s some good things in there some things I like, some things I’d like to make stronger, particularly the immunity provisions,” he said last week. But, he added, “I think we come at it from a little different approach.”
Both supporters and opponents of CISPA said that while Rogers and Ruppersberger have largely been on the same page on cybersecurity legislation, Feinstein and Chambliss have come at the issue with different perspectives — Feinstein with an emphasis on privacy, Chambliss with an emphasis on ease of sharing. Nonetheless, one industry lobbyist said that, at minimum, the House has produced a “conference-able” bill should something emerge from the Senate.
There was also one key element to what happened in the House that could be telling for the endgame.
“The overwhelming bipartisan and veto-proof majority demonstrates that we were able to find the right balance as to what can get done in a divided Congress,” Rogers said in a written statement. “And anyone who has looked at this threat at all knows we have to get legislation signed into law as soon as possible to protect our networks and our economy at large.”
Richardson, though, said some Democrats told her privately they only backed CISPA to keep a bill moving and wouldn’t support it fully without more changes.
Whatever impact the veto threat had or didn’t, the Obama administration also figures the discussion about an information-sharing bill has improved as a result of another step they took — an executive order that mimicked some of the industry security standards contained in a failed Senate bill last year.
“Last year we were far too into platitudes, information sharing versus regulation,” a senior administration official said. “Now we’re having a discussion about the right way to do information sharing. We’re in a very different place than we were last year.”