Cybersecurity

Hurdles remain for major cybersecurity bill

Sweeping cybersecurity legislation recently passed in Congress still has serious hurdles to clear before becoming law.

On Tuesday night, the upper chamber approved the Cybersecurity Information Sharing Act (CISA) — a bill meant to encourage companies to share data on cyberattacks with the government — by a bipartisan 74-21 vote.

Coming roughly six months after the House approved its companion legislation, the Senate’s vote puts an overall cybersecurity information-sharing measure on path to becoming law.

{mosads}But despite the bills clearing both chambers by wide margins, the legislation is about to enter a difficult and uncertain conference negotiation to produce the final bill.

Shifting House leadership, the technical nature of the legislation and significant discrepancies between the passed bills are all expected to drag out that conference report between the two chambers, pushing the bill’s implementation into the new year at least, according to proponents of the legislation.

“You saw how difficult it was and how technical this can be,” said Sen. Richard Burr (R-N.C.), who co-sponsored the Senate’s bill with Sen. Dianne Feinstein (D-Calif.), shortly after the long-stalled CISA passed. “We’re going to move at a very slow pace.”

First and foremost is the looming void atop the House. The lower chamber has yet to elect its new Speaker, with outgoing Speaker John Boehner (R-Ohio) just days from his planned retirement.

After several weeks of cajoling, the ostensible consensus candidate, Rep. Paul Ryan (R-Wis.), was finally convinced to run, meaning he is likely to be officially elected soon.

But even Ryan’s ascension to the Speakership could throw a wrench in the cyber negotiations. To take on the House’s top role, Ryan would have to leave his position as head of the House Ways and Means Committee.

One of the key co-sponsors of the House’s cyber legislation, House Intelligence Committee Chairman Devin Nunes, has expressed interest in shifting over to run the powerful tax-writing committee.

The California Republican would face at least a three-way race. Both Rep. Kevin Brady (R-Texas), the committee’s second-ranking Republican, and Rep. Pat Tiberi (R-Ohio) have also said they plan to run.

“Let’s get a new Speaker in place, let’s let him decide whether Devin Nunes is going to be the chair of the Intel committee or the chair of Ways and Means, and we’ll begin as early as we can to start to preconference this with the House,” Burr told reporters Tuesday night.

Nunes joined with his committee’s ranking member, Rep. Adam Schiff (D-Calif.), to back the Protecting Cyber Networks Act (PCNA), one of two complementary cyber info-sharing bills the House passed on back-to-back days in April.

The other bill, known as the National Cybersecurity Protection Advancement Act (NCPAA), came from the House Homeland Security Committee’s leaders, Chairman Michael McCaul (R-Texas) and ranking member Bennie Thompson (D-Miss.).

If Nunes does leave the Intel panel, it would be up to the next Speaker to appoint the next head of the Intelligence committee, who would immediately become a central part of the cyber bill negotiations.

Burr maintained that new Intel leadership shouldn’t change the conference process.

“I don’t think so,” he told reporters, noting that Nunes is “not necessarily the next in line on Ways and Means, so I don’t think that’s a certain certainty.”

“We’ll work with them until they sort out things,” he added.

But House and Senate leaders will also face considerable pressure from other lawmakers, advocacy groups and the White House, who all want to ensure the best possible outcome from their perspective.

Leading CISA critics Sens. Ron Wyden (D-Ore.) and Dean Heller (R-Nev.) both came within a handful of votes of getting several privacy-advocate favored amendments approved during Tuesday’s Senate session.

Wyden’s proposal would have injected stricter requirements for companies to remove personal information from their cyber threat data before handing it to the government. It garnered a better-than-expected 41 votes.

“I was pleased that in the home stretch, visible, active support came from all across the political spectrum,” Wyden told The Hill after the vote. “We’ll just keep building.”

Heller backed a similar offering that would have also raised the personal data scrubbing standard for the government. His amendment fell just short the simple majority it needed, earning 47 votes.

“I don’t consider it a win if you don’t get the votes, but it does send a strong message,” Heller told The Hill.

And that’s a message for the conference negotiators.

“I believe that it’s something will now be seriously considered in conference,” Heller said, adding that he had spoken to Burr about the issue.

“He believes there is an avenue by which this can happen,” Heller said.

Burr said as much on the floor, promising to include the senators in the negotiations to see if they can find a compromise on the technical language in the bill.

“I intend to continue to talk to everybody,” Burr told reporters after the bill passed. “I made a commitment before we went to the floor that everybody would have a fair shot. They will continue to have it as we negotiate with the House.”

But that “fair shot,” he conceded, will take time.

“It’s just going to make it much more complicated,” he said.

Adding to these potential impediments is the basic fact that the bills have significant discrepancies between them.

While several cyber policy experts noted the individual measures are structured similarly, some pointed to differences in the bills, namely in the leeway they each give companies to share data with agencies other than the Department of Homeland Security (DHS).

Feinstein hopes CISA’s 74 votes may help push negotiators to favor the upper chamber’s language. CISA would incentivize companies to go through the DHS or through their regulatory agency.

“I think the vote gives us the opportunity to go in with hopefully a strong hand into the conference and enable us to come out without weakening the privacy provisions,” Feinstein told reporters Tuesday night.

With two bills, the House’s sharing process is less clear. But both measures also passed with robust support — over 300 votes each.

Others with knowledge of the discussions floated the idea that negotiators would more broadly default to the Senate’s language for expediency, since it is a single bill.

Regardless, it’s a process that will likely stretch on for months, at least until after the new year, Burr guessed.

“Now the work begins as we go to conference,” Burr said on the floor Tuesday.

“We’ve got a long debate ahead of us,” Wyden vowed.