Legislative Update – Cybersecurity

Our colleagues at ML Strategies have authored a Legislative Alert:

As the 112th Congress gets underway, many continue to feel that partisan gridlock will block movement on significant legislation, leaving congressional activity to legislation that doesn’t require a heavy lift. However, in what many view as a surprising move, Congress appears ready to address one of the most complicated issues on its agenda – cybersecurity.  There are ample disagreements in approach, but a serious effort is underway to bridge these differences and get a bill passed.  There is a strong push for information sharing between the public and private sectors as a means to protect against cyber attacks.  This concept of information sharing is a main component of a House cyber security bill that was marked up last week, and was also the topic of an opinion piece written by a group of Senate Republicans.  The authors – Sens. Hutchison, Grassley, Chambliss, and Murkowski – outline their approach to cybersecurity and stress that it is important for the Administration and Congress to work together to ensure a bipartisan solution.  In addition to information sharing, the overall balance between government intelligence needs and private business needs is a priority for both House and Senate cybersecurity legislation.  There have been reports that a classified briefing between Administration officials and Senators took place last week to discuss the urgency of passing a cybersecurity bill this year.

House:  A bill introduced by Cybersecurity Subcommittee chairman Dan Lungren (R-CA) and Homeland Security Committee chairman Peter King (R-NY) has drawn support from key Democrats, and will likely also gain support from Republicans because it is intended to facilitate information sharing between the government and private sector.  The Promoting and Enhancing Cybersecurity Act, H.R. 3674, represents a blend of incentives and new regulation.  This bill was marked up on Wednesday, February 1, and Chairman Lungren offered an amendment in the nature of a substitute.  There are other House proposals in the works, but it is unclear whether the House will follow the Senate’s lead and attempt to combine them into one comprehensive measure.  Rep. Mac Thornberry (R-TX), has indicated that the House is waiting to see what the Senate does and is aiming for getting cybersecurity bills on the floor by the end of February or beginning of March.  Rep. Thornberry has also noted that successful cybersecurity legislation should be focused on emerging threats and encourage both the public and private sector to practice good cyber hygiene and reduce clutter in their networks.  

Senate:  Several Senate committees, led by the Commerce Committee and the Homeland Security and Government Affairs Committee (HSGAC), have been working for more than a year on a comprehensive bill, and Senate Majority Leader Harry Reid (D-NV) announced late last year that he intended to bring a bill to the floor in the coming months.  Jeffrey Greene, Senior Counsel at HSGAC, has indicated that they have taken the Majority Leader’s direction seriously and are close to finalizing a bill that could be filed as early as this week.  Tom Ross, who is the intelligence expert from Sen. Reid’s office, has indicated that the Senate is working on formulating a federal data breach notification standard.  Members of the Judiciary and Commerce Committees wish to include this type of standard in cybersecurity legislation, but they are in the process of determining how broad the language should be.

Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME), Chairman and Ranking Member of HSGAC, will introduce the bill along with Commerce Committee Chairman Jay Rockefeller (D-WV).  One portion of the bill that was met with concern from lawmakers and the private sector was language defining the president’s powers in the event of a cyber emergency.  This language has reportedly been removed from the Senate bill.

Section by section staff discussion drafts of the bill were circulated on Capitol Hill and with industry late last week.  Four of these discussion drafts are said to be part of a comprehensive cybersecurity package, while the information sharing piece is currently separate.  In the discussion drafts, the Senate shows a flexible approach to cybersecurity that recognizes each sector has access to different information and therefore faces different threats.  The bill also establishes the White House Office of Cyberspace Policy and updates current FISMA regulations.  

The Cybersecurity Information Sharing Act is currently separate from the comprehensive cybersecurity bill.  The goal of this legislation is to encourage the public and private sectors to work together to protect against cyberthreats.  Not only does this bill encourage information sharing between the public and private sectors; the bill also encourages the entities in the private sector to work together and share cyberthreat information among each other.