Senate Dems modifying cybersecurity bill to pick up GOP votes

Senate Democrats are quietly revamping cybersecurity legislation in an attempt to pick up Republican votes.

The move is an acknowledgement that they currently lack the 60 votes needed to bring their preferred bill to the floor. 

ADVERTISEMENT
"Undoubtedly we'll make some changes," a Senate Democratic aide told The Hill. But he said getting the legislation through the Senate "is not as hard of a lift as some people have made it out to be."

The aide predicted that the entire Senate Democratic caucus will vote for the bill.

The House passed its own measure, the Cyber Intelligence Sharing and Protection Act (CISPA), last month despite a veto threat from the White House.

The goal of CISPA is to help companies beef up their defenses against hackers who steal business secrets, rob customers' financial information and wreak havoc on computer systems. The bill would remove legal barriers that discourage companies from sharing information about cyber threats. 

But the White House and Senate Democrats argue that CISPA lacks adequate privacy protections and would fail to protect critical infrastructure, such as electrical grids, banks or water supplies.

They have endorsed an alternative bill from Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) that includes tougher privacy protections and would authorize the Homeland Security Department to set mandatory security standards for critical infrastructure.

Supporters of the Senate bill argue that mandatory standards are necessary to ensure that critical systems are safe from a catastrophic cyber attack.

But a group of Republicans, led by Sen. John McCain (Ariz.), has slammed the Lieberman-Collins Cybersecurity Act as an example of big government overreach.

At a hearing in February, McCain said if the Lieberman-Collins bill were enacted, "unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses" and that the new rules would "stymie job creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates.”

GOP House leaders have also indicated they will not allow a vote on any bill that creates new cybersecurity mandates.

A Senate Democratic leadership aide said the Senate is "on track" to vote on the Lieberman-Collins bill sometime this month.

"The Cybersecurity Act of 2012 has been a priority for [Senate Majority Leader Harry] Reid [D-Nev.] for three years, and we're going to do everything we can to pass a bill that confronts the urgent national security threats we face," the leadership aide said.

But one industry official who has been tracking the legislation said she has been in talks with Democrats about how to change their bill.

"They can count just like the rest of us. They know they don't have 60," the industry official said.

She said Democrats have insisted on including a provision to protect critical infrastructure but that they are open to adjusting the language to win over industry groups and Republicans.

The industry official said the bill's sponsors have reached out to Sen. Jon Kyl (R-Ariz.) to discuss adding language to create new protections for the supply chain of materials used to build critical infrastructure systems.

The official said the change could win over a few Republicans but could also lead some industry groups to come out against it.

The Senate Democratic aide said the bill's sponsors have been in talks with "multiple members to make the bill more appealing."

The industry official also expressed optimism that lawmakers will be able to find common ground on the privacy language.

But she noted that many Republicans want the National Security Agency (NSA) to have direct access to the cyber threat information and want the government to be able to use the information for purposes such as national security or stopping child pornography. 

"If there's a bomb in Times Square, they want to be able to investigate that," she said.

Privacy advocates argue the government should only be able to use the data it collects to address cybersecurity. 

Trey Hodgkins, a senior vice president for TechAmerica, a trade association that represents technology companies including IBM, Google and Microsoft, said he has also had discussions with the supporters of the Senate bill about revamping their legislation. 

He said lawmakers have discussed tightening control over the supply chain and adding a requirement for firms to notify their customers in the event of a data breach.But Hodgkins noted that with the election just a few months away, the clock is ticking for Congress to get anything done this term.

"The farther out on the calendar we get, the harder it is going to be to advance the bill because of the broader political context," Hodgkins said.