The Senate is expected to move on a cybersecurity bill late Monday night or sometime Tuesday, according to industry observers.
The measure would codify and clarify the Homeland Security Department’s (DHS) cybersecurity role, according to a draft obtained by The Hill. It would also expand some cybersecurity information sharing between the private sector and the DHS, but not by much, and not with the legal protections industry groups had coveted.
It’s surprising movement on a topic that many thought would be tabled until 2015.
“It’s definitely a notable step,” said Jordan Quinn, policy manager for the Financial Services Roundtable (FSR), a major finance industry trade group that has been pushing for cybersecurity legislation.
But it’s “maybe a few first steps,” added Josh Magri, FSR’s regulatory counsel. Much more is needed, he said.
The National Cybersecurity Protection Act is the Senate’s version of a House-passed bill, the National Cybersecurity and Critical Infrastructure Protection Act (NCCIP).
The Senate draft started circulating on Friday. It officially authorizes an existing division of the DHS — the National Cybersecurity and Communications Integration Center, or NCCIC. The NCCIC is a central hub for public and private partners to share and access cyber info.
The Senate measure is a pared-down version of the House bill. It left out a number of industry-desired provisions that would have eased cybersecurity information sharing with the NCCIC.
“In general it really doesn’t solve the big problem that everybody’s screaming for and that’s information sharing,” Quinn told The Hill.
Industry groups have been pushing for legal protections for companies exchanging cybersecurity information with the government. They argue protections are needed to shield companies from lawsuits should the shared information get disclosed.
While the bill being considered would help facilitate information sharing, it never would have established the extensive safe harbor protections industry wanted.
It’s more part of the government “getting it’s own house in order” on cybersecurity, Magri said.
Industry groups had been pinning their hopes on another Senate bill, the Cybersecurity Information Sharing Act (CISA).
“To me that was a key example of a bill that’s narrowly focused on cyber threat information sharing,” Quinn said.
CISA provided a legal safe harbor for many private sector companies to share cyber threat information with the National Security Agency (NSA).
Privacy advocates were concerned CISA didn’t adequately stop the NSA from collecting personal information on Americans through the exchange.
CISA was also pulled into the debate over the NSA’s broader authorities, a hot button issue since former government contract employee Edward Snowden disclosed a number of secret NSA surveillance programs.
After the Senate failed to move forward on a bill to curb the NSA’s surveillance authority, CISA was widely assumed dead until 2015.
Lawmakers have vowed to revisit a cyber information sharing bill next year. But many in and outside government worry it could take time to get the issue back on the table, especially considering the late cyber flurry in the lame duck.
"Will there be a bit of cyber fatigue coming up next year?" Quinn wondered.
— Updated 8:37 p.m.