That is the $64,000 question. This being Washington, DC, it’s more likely a multi-million dollar question, and the answer is unclear. The Senate voted 84-11 last Thursday to end debate on a procedural motion that allows a revised bill, S. 3414, sponsored by Homeland Security and Government Affairs Committee Chairman Joe Lieberman (D-CT) to be brought up for consideration. However, agreeing to debate a bill doesn’t mean agreeing to a vote on it, much less support for it. As of Tuesday afternoon Senators were still negotiating how to move forward on the 90 amendments the bill has already attracted. There is little time left to consider more than a few before the Senate is scheduled to recess this Friday for a month-long summer break.
As this blog has described since the beginning of the year, there is widespread support among Democrats, Republicans, and the White House on the need for cybersecurity legislation. But there is fierce disagreement over what it should look like. A principal issue all along has been whether the bill should impose certain security standards on the private sector, with which most of the nation’s critical infrastructure resides, or set up a voluntary program. The government’s authority over information collected in the name of cybersecurity has also raised concerns among privacy advocates.
The 200-page revised bill, (summary and outline) has shifted away from a regulatory approach toward providing incentives for businesses to adopt best practices. It also contains restrictions on what government agencies can receive cybersecurity information and on how that information can be used and provides legal recourse for individuals if the law is violated. These and other changes have garnered the support of numerous businesses and the ACLU, as well as the Obama Administration. However, divisions in the business community remain, as demonstrated by continuing opposition by the US Chamber of Commerce, which fears the bill could ultimately lead to regulation.
Further complicating the picture are the host of amendments – some related, some not – to the bill: Sen. Pat Toomey (R-PA) has filed his Data Security and Breach Notification Act as an amendment and Oversight of Government Management Subcommittee Chairman Daniel Akaka (D-HI) said at today’s hearing on the “State of Federal Privacy and Data Security Law: Lagging Behind the Times?” that he will do the same with his Privacy Act Modernization for the Information Age Act. The Chamber and several other industry trade associations oppose the addition of such data privacy and breach notification measures to the bill, preferring that they be vetted in committees and taken up independently. Read Joint Association Letter to the U.S. Senate Regarding Amendments to S. 3414. The bill could also become a focal point for gun control amendments in light of the recent tragedy in Colorado and for any number of pet issues various Senators have been trying to move for the last 19 months. To wax metaphorical, when the last train appears to be leaving the station, all sorts of folks try to hitch a ride.
It’s hard to tell how this will end up. With the elections only three months away, at least 1/3 of the Senate is very sensitive to lobbying by key constituencies and Members may decide that the Hippocratic oath / political rule of thumb “first, do no harm” means don’t pass an obscure bill the public isn’t clamoring for. But outside-the-beltway events such as the massive power outages across India (which so far don’t appear to involve cyber breaches) may yet spur action, as no candidate wants to be caught flat footed were a cybersecurity incident to occur before November 6. For now, the Senate Chamber is spending most of the day in a quorum call while leaders work to resolve issues off the floor, so check back here for updates as things progress.