Information Sharing Legislation Moves to Conference
Last week, the Senate passed the Cybersecurity Information Sharing Act (CISA/S. 754) by a 74-21 vote. Before voting on final passage of the bill, the Senate approved an amendment that would sunset the bill ten years after its enactment. All other amendments that were voted on during the floor debate were rejected, including an amendment from Senator Tom Cotton (R-AR) that would have extended liability protections within the bill to companies that share information directly with the Federal Bureau of Investigation (FBI) or Secret Service instead of the Department of Homeland Security (DHS). Senate Intelligence Committee Chairman Richard Burr (R-NC) previously called the amendment a “deal-killer.”
Now that the Senate has passed CISA, the House and Senate will appoint conferees to conference it with the House’s information sharing legislation – the Protecting Cyber Networks Act (H.R. 1560). The House originally passed this bill, which came out of the House Permanent Select Committee on Intelligence, in April and combined it with the House Homeland Security Committee’s bill, the National Cybersecurity Protection Advancement Act (H.R. 1731).
Conferees will have a number of issues and differences to work out between the two House bills and CISA, including how the bills allow information to be shared with the government. Both bills designate the Department of Homeland Security (DHS) as the main portal for sharing information but the Senate bill would also allow companies that already share information with other federal agencies, such as the FBI or the National Security Agency (NSA), to continue to share information directly through them. We expect that the role of DHS, NSA, and FBI will be a significant part of the conversations during the conference given that many of the privacy concerns about information sharing legislation have stemmed from questions about the need for a civilian portal for information sharing.
Additionally, given that the privacy provisions in CISA were some of the most closely watched by stakeholders, we expect that the conferees will pay close attention to how they address the differences in the privacy sections of the information sharing bills. While some Members of Congress have said that the conference process provides an opportunity to reconsider some more stringent privacy protections beyond what was included in CISA, it is more likely that the conferees will follow the language in CISA and the House bill than include any privacy amendments or additional language that was not agreed to on the Senate floor.
Based on comments from key lawmakers involved with CISA, it appears that we will not see a conferenced bill until early 2016. Committee leaders and staff in both chambers have been working closely throughout the process but many of the Committee leaders in the House and Senate that are likely to serve on the conference committee have conceded that the conference process may be contentious at times and may move at a slow pace. Despite these comments, we are still expecting to see a conferenced bill by early next year given how many years Congress has been working on information sharing legislation and the desire of many policymakers to finalize legislation so that they can address other pending cybersecurity issues.
This Week’s Hearings:
Wednesday, November 4: The House Homeland Security Committee will mark up a number of bills, including the State and Local Cyber Protection Act of 2015 andStrengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015.
Executive Branch Activity
White House Issues Government-Wide Cyber Strategy
On Friday, the White House issued its Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. The document includes an update on the comprehensive review of the federal government’s cyber policies, procedures and practices, which took place during a 30-day Cybersecurity Sprint directed by the Federal Chief Information Officer in June. This guidance aims to protect the federal government’s information systems and is the latest action from the Obama Administration in the fallout after the Office of Personnel Management (OPM) brief revealed earlier this year. The plan identifies a number of action items that the federal government will take in the coming year to improve the cybersecurity of the federal government networks.