A Republican House and Senate might be the kickstart needed for perpetually stalled cybersecurity legislation.
Policy experts say a united Republican Congress will be more receptive to voices backing a cyber information sharing bill during the lame duck session.
“The context is better suited for it,” said Robert Cattanach, a cybersecurity lawyer and former special counsel to the secretary of the Navy.
The bill, currently known as the Cybersecurity Information Sharing Act (CISA), passed the House in July and would allow the government and private sector to share cyber threat indicators protected from certain disclosures and lawsuits. The bill’s detractors are concerned the bill doesn't restrict the government from collecting personal data on Americans.
Industry groups and the National Security Agency (NSA) have been major proponents of the proposal, and may find a more receptive audience in the next Congress.
“We would anticipate that [an info sharing bill] would be able to move through the Senate more easily now than before,” said Paul Martino, senior policy counsel at the National Retail Federation, one of many industry groups supporting a cyber information sharing measure.
Still, unknowns remain. The Senate committees that have driven cyber legislation will have new leaders with opaque and minimal cyber policy backgrounds.
Sen. Richard Burr (R-N.C.) will likely replace Senate Intelligence Committee Chairwoman Dianne Feinstein, D-Calif., the upper chamber’s main proponent of CISA. Sen. Ron Johnson (R-Wis.) is likely assuming leadership of the Senate Homeland Security Committee, which manages the bulk of cyber funding.
Though the senators helped sponsor a 2012 Republican bill to facilitate cyber threat information sharing between the government and private sector, neither has a robust cyber policy history.
“It’s not in their wheelhouse,” Cattanach said.
But fears that the new leaders may abandon cyber legislation appear overblown. Neither is seen as a strong opponent of the intelligence community and both are closely affiliated with private industry groups, two groups that see CISA as the top priority on cybersecurity.
Burr once told reporters, “If I had my way, with the exception of nominees, there would never be a public intelligence hearing.”
And Johnson is “pretty hawkish on the NSA,” Cattanach said. The Wisconsin lawmaker has shown concern about the lack of NSA oversight, but defended the agency’s electronic surveillance program.
Burr is expected to build off of Feinstein's framework instead of forging his own bill.
“Why start from scratch, why reinvent the wheel?” said one cybersecurity policy expert with close contacts on Capitol Hill and in President Obama's administration.
“I haven’t seen any indication that Burr would take a different tact,” said Melvin Dubee, vice president of government relations at defense manufacturer Lockheed Martin.
The White House, civil liberties-focused senators and privacy groups have pushed for NSA reform before passing any cyber information sharing bill, a potential stumbling block to passing cyber legislation.
Former NSA contractor Edward Snowden's disclosures about U.S. surveillance programs have essentially stopped the bill from moving the last 18 months, cyber advocates contend.
“I think there’s a sequencing problem,” said Matt Rhoades, director of the cyberspace and security program at the Truman National Security Project. “Otherwise, I think we would have had information sharing last year.”
While the party switch in the Senate has gained the most attention, the House Intelligence Committee is also losing its cyber-oriented chairman, Rep. Mike Rogers (R-Mich.) to retirement.
Rogers and Committee Ranking Member Dutch Ruppersberger (D-Md.) “have been the primary driers for information sharing,” said Dubee. “I’m probably more interested in seeing who gets those jobs."
Without a clear line of succession in the House, the next leader’s priorities become another uncertainty that could alter any cyber bill’s chances.
“Things can be done that couldn’t be done before,” Cattanach said. “It doesn’t mean they will be done.”