One of the top priorities for new House Homeland Security Committee Chairman Michael McCaul (R-Texas) next Congress is to bring a cybersecurity bill to the floor that has "buy-in" from industry.
When he takes up the chairman's gavel next month, McCaul said he plans on meeting with industry players, including tech companies and critical infrastructure operators, to get their feedback on what measures they think should be in cybersecurity legislation. McCaul said he also hopes to travel with other committee members to various sites where critical infrastructure is housed.
"I think cybersecurity legislation will be the top legislative priority for the committee next Congress and after I appoint the subcommittee chair of cybersecurity, I initially intend to hold a 'listening post' with stakeholders—whether it be the high-tech sector, critical infrastructures in the private sector—to get their take on legislation, what they would like to see in a bill in an attempt to get buy-in from the private sector in what we do," McCaul said.
McCaul declined to comment on who will chair the cybersecurity subpanel, a seat that's currently held by outgoing Rep. Dan Lungren (R-Calif.).
The aim of the outreach is to ensure the bill's path to the floor isn't derailed by industry opposition, suffering the same fate as a cybersecurity measure by Lungren earlier this year. House GOP leadership had pressured Lungren to scale back measures in his bill amid industry concerns that it was too regulatory. The bill, which cleared the Homeland Security Committee on a party-line vote, was ultimately sidelined when the House voted on a package of cybersecurity bills this spring.
"I think the reason why that bill failed is it was perceived by the private sector as over-regulating and that's going to be the key issue I need to address," McCaul said in an interview.
Like Lungren's measure, McCaul said his bill would aim to improve information-sharing between industry and government about cyber threats, but it needs to "incentivize that relationship" rather than rely on enforcement.
McCaul expects other House committees will tee up cybersecurity-related legislation introduced this past year for consideration in 2013, including the Intelligence Committee's Cyber Intelligence Sharing and Protection Act (CISPA). Although privacy advocates and civil liberties groups rallied against CISPA, it won broad backing from a range of companies — such as Facebook, AT&T and IBM.
McCaul sees his bill complementing CISPA because it would center on helping the Homeland Security Department (DHS) coordinate information-sharing about cyber threats. CISPA, on the other hand, would allow companies to share information about malicious source code and other data with the intelligence community, including the National Security Agency, as well as DHS.
But before the next congressional session begins in January, the White House could release the cybersecurity executive order it has worked on over the last few months. The cyber order will have a significant effect on Congress's path forward on cybersecurity legislation next year.
Several Republicans in both the House and Senate have urged the White House to abandon its cyber order and let Congress take the reins on the issue.
But unlike his other GOP colleagues, McCaul did not speak out against the White House's executive order, saying Congress's inaction on cybersecurity opened the door for the administration to make a move. Still, he said Congress needs to pass its own legislation because an executive order cannot grant new authorities and does not include liability protection for companies.
"I don't blame them for acting because Congress has failed in this regard," McCaul said. "I think it's important that Congress act and put [cybersecurity legislation] into law, and there may be some things in the executive order that may be helpful in our legislation and I'll certainly be looking at that. It's really important that Congress act on this issue and that's my sincere hope going into the next Congress."