Congress is back from a two week Easter recess and despite lingering concerns from privacy groups, House leaders plan to bring to the floor for votes one or more cybersecurity bills designed to protect the nation’s critical infrastructure – from power plants to financial markets – by encouraging information sharing about cyber threats between the government and private business. The bills could be considered as early as next week.
House Intelligence Committee Chairman Mike Rogers (R-MI) has been working over the recess to address concerns of privacy advocates about his Cyber Intelligence Sharing and Protection Act, H.R. 3523. In recent redrafts, the bill has been revised to include data minimization language to reduce the amount of detailed information businesses would share with the government. Further, the bill now eliminates references to theft of IP that raised concerns similar to the anti-piracy/anti-counterfeiting bills that withered in the face opposition earlier this year (SOPA/PIPA, S. 968/H.R. 3261). It would also now allow lawsuits against the government for intentional or willful improper disclosure of personal data that’s been collected. (Note: the above link to the April 16 discussion draft which incorporates amendments adopted at markup (in green) and new potential amendments under consideration (in yellow for changes from the April 12, 2012 draft and in blue for new changes in this draft).)
However, opposition to a communications monitoring provision in Rogers’ bill continues from a coalition of privacy and civil liberties groups that fear the language is too vague and would allow companies to share user data with the government without a court order. The Electronic Frontier Foundation is leading a twitter campaign against “CISPA” this week using the hashtags #CongressTMI and #CISPA. Other groups are concerned about provisions that would cut off FOIA access to information companies share with the government. More about their concerns can be found here and here.
Business groups are also weighing in on cybersecurity this week. A coalition of 26 associations wrote House leaders today urging them to focus on several policy principles without endorsing or opposing any of the bills. The organizations range from the American Chemistry Council to the Real Estate Roundtable and they want Congress to take a “nonregulatory step forward” on cybersecurity by improving liability protections, strengthening cyber R&D, reforming FISMA, educating the public, and supporting public-private collaboration. Read the full letter.
Another House bill that could come up next week is the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness or “PRECISE” Act, H.R. 3674, which would define DHS’ roles and responsibilities and create a private, not-for-profit organization to facilitate best practices, provide technical assistance, and enable the sharing of cyberthreat information. The bill was approved by the Homeland Security Committee yesterday on a 16-13 party line vote. Democrats said the scaled-back bill doesn’t establish DHS as the lead cybersecurity agency. Read Rep. Lungren’s (R-CA) revised bill.
Also approved separately yesterday by the Oversight and Government Reform Committee, by voice vote, was the Federal Information Security Amendments Act, H.R. 4257, which would require federal agencies to continuously monitor government IT systems and perform regular threat assessments.
A fourth bill that the House could vote on next week is the Cybersecurity Enhancement Act, H.R. 2096, intended to improve cybersecurity R&D and technical standards. It was approved last fall by the House Science, Space, and Technology Committee. The same committee also recently approved H.R. 3834, which overhauls policies for funding R&D in unclassified computing, networking and information technology, including cybersecurity, and could also be considered next week.
A sixth bill, the SECURE IT Act of 2012, H.R. 4263, was recently introduced as the House companion to Sen. McCain’s alternative cybersecurity bill (S. 2151), but has yet to see committee action and is unlikely to come to the House floor next week.
House Commerce, Manufacturing, and Trade Subcommittee Chairwoman Mary Bono Mack has expressed her desire to bring up her data breach notification measure, the SAFE Data Act, H.R. 2577, during the cybersecurity debate, but odds are slim that it could garner enough support to hitch a ride on cybersecurity legislation. Several of her colleagues are not on board that such legislation is necessary, despite continuing reports of data breaches.
On the Senate side, the primary bill, the Cybersecurity Act, S. 2105, which would establish minimum security standards that certain companies must meet, remains stalled while the bipartisan sponsors work to address Republican concerns with the bill, described in a February 15, 2012, post. If one or more of the House bills advance next week, the Senate could act on cybersecurity in May. The outlook for data breach notification legislation on the Senate side also remains doubtful, though work continues at the staff level.