Hurdles remain for major cybersecurity bill

Hurdles remain for major cybersecurity bill
© Getty

Sweeping cybersecurity legislation recently passed in Congress still has serious hurdles to clear before becoming law.

On Tuesday night, the upper chamber approved the Cybersecurity Information Sharing Act (CISA) — a bill meant to encourage companies to share data on cyberattacks with the government — by a bipartisan 74-21 vote.

Coming roughly six months after the House approved its companion legislation, the Senate’s vote puts an overall cybersecurity information-sharing measure on path to becoming law.

ADVERTISEMENT

But despite the bills clearing both chambers by wide margins, the legislation is about to enter a difficult and uncertain conference negotiation to produce the final bill.

Shifting House leadership, the technical nature of the legislation and significant discrepancies between the passed bills are all expected to drag out that conference report between the two chambers, pushing the bill’s implementation into the new year at least, according to proponents of the legislation.

“You saw how difficult it was and how technical this can be,” said Sen. Richard BurrRichard Mauze BurrEx-CIA agent: Whistleblower's complaint 'should be considered on its merits' Senate Intel chair: Whistleblower hasn't agreed to testify before panel Juan Williams: Trump, the conspiracy theory president MORE (R-N.C.), who co-sponsored the Senate’s bill with Sen. Dianne FeinsteinDianne Emiel FeinsteinSenate Democrats want Warren to talk costs on 'Medicare for All' Khashoggi fiancée meets with lawmakers seeking 'justice and accountability' for his slaying Schiff should consider using RICO framework to organize impeachment MORE (D-Calif.), shortly after the long-stalled CISA passed. “We're going to move at a very slow pace.”

First and foremost is the looming void atop the House. The lower chamber has yet to elect its new Speaker, with outgoing Speaker John BoehnerJohn Andrew BoehnerIs Congress retrievable? Boehner reveals portrait done by George W. Bush Meadows to be replaced by Biggs as Freedom Caucus leader MORE (R-Ohio) just days from his planned retirement.

After several weeks of cajoling, the ostensible consensus candidate, Rep. Paul RyanPaul Davis RyanAmash: Trump incorrect in claiming Congress didn't subpoena Obama officials Democrats hit Scalia over LGBTQ rights Three-way clash set to dominate Democratic debate MORE (R-Wis.), was finally convinced to run, meaning he is likely to be officially elected soon.

But even Ryan's ascension to the Speakership could throw a wrench in the cyber negotiations. To take on the House’s top role, Ryan would have to leave his position as head of the House Ways and Means Committee.

One of the key co-sponsors of the House’s cyber legislation, House Intelligence Committee Chairman Devin Nunes, has expressed interest in shifting over to run the powerful tax-writing committee.

The California Republican would face at least a three-way race. Both Rep. Kevin BradyKevin Patrick BradyOvernight Health Care — Presented by National Taxpayers Union — House Dems change drug pricing bill to address progressive concerns | Top Republican rejects Dem proposal on surprise medical bills | Vaping group launches Fox News ad blitz Top Republican rejects Democratic chairman's approach to stopping surprise medical bills America's workers and small business owners need the SECURE Act MORE (R-Texas), the committee’s second-ranking Republican, and Rep. Pat Tiberi (R-Ohio) have also said they plan to run.

“Let’s get a new Speaker in place, let’s let him decide whether Devin Nunes is going to be the chair of the Intel committee or the chair of Ways and Means, and we’ll begin as early as we can to start to preconference this with the House,” Burr told reporters Tuesday night.

Nunes joined with his committee’s ranking member, Rep. Adam SchiffAdam Bennett SchiffSchiff punches back after GOP censure resolution fails Trump urges GOP to fight for him House rejects GOP measure censuring Schiff MORE (D-Calif.), to back the Protecting Cyber Networks Act (PCNA), one of two complementary cyber info-sharing bills the House passed on back-to-back days in April.

The other bill, known as the National Cybersecurity Protection Advancement Act (NCPAA), came from the House Homeland Security Committee’s leaders, Chairman Michael McCaul (R-Texas) and ranking member Bennie Thompson (D-Miss.).

If Nunes does leave the Intel panel, it would be up to the next Speaker to appoint the next head of the Intelligence committee, who would immediately become a central part of the cyber bill negotiations.

Burr maintained that new Intel leadership shouldn’t change the conference process.

“I don’t think so,” he told reporters, noting that Nunes is “not necessarily the next in line on Ways and Means, so I don’t think that’s a certain certainty.”

“We’ll work with them until they sort out things,” he added.

But House and Senate leaders will also face considerable pressure from other lawmakers, advocacy groups and the White House, who all want to ensure the best possible outcome from their perspective.

Leading CISA critics Sens. Ron WydenRonald (Ron) Lee WydenHillicon Valley: Facebook removes Russian, Iranian accounts trying to interfere in 2020 | Zuckerberg on public relations blitz | Uncertainty over Huawei ban one month out US ban on China tech giant faces uncertainty a month out Hillicon Valley: GOP lawmakers offer election security measure | FTC Dem worries government is 'captured' by Big Tech | Lawmakers condemn Apple over Hong Kong censorship MORE (D-Ore.) and Dean HellerDean Arthur HellerThis week: Barr back in hot seat over Mueller report Trump suggests Heller lost reelection bid because he was 'hostile' during 2016 presidential campaign Trump picks ex-oil lobbyist David Bernhardt for Interior secretary MORE (R-Nev.) both came within a handful of votes of getting several privacy-advocate favored amendments approved during Tuesday’s Senate session.

Wyden’s proposal would have injected stricter requirements for companies to remove personal information from their cyber threat data before handing it to the government. It garnered a better-than-expected 41 votes.

“I was pleased that in the home stretch, visible, active support came from all across the political spectrum,” Wyden told The Hill after the vote. "We'll just keep building."

Heller backed a similar offering that would have also raised the personal data scrubbing standard for the government. His amendment fell just short the simple majority it needed, earning 47 votes.

“I don’t consider it a win if you don’t get the votes, but it does send a strong message,” Heller told The Hill.

And that’s a message for the conference negotiators.

“I believe that it’s something will now be seriously considered in conference,” Heller said, adding that he had spoken to Burr about the issue.

“He believes there is an avenue by which this can happen,” Heller said.

Burr said as much on the floor, promising to include the senators in the negotiations to see if they can find a compromise on the technical language in the bill.

“I intend to continue to talk to everybody,” Burr told reporters after the bill passed. “I made a commitment before we went to the floor that everybody would have a fair shot. They will continue to have it as we negotiate with the House.”

But that “fair shot,” he conceded, will take time.

“It’s just going to make it much more complicated,” he said.

Adding to these potential impediments is the basic fact that the bills have significant discrepancies between them.

While several cyber policy experts noted the individual measures are structured similarly, some pointed to differences in the bills, namely in the leeway they each give companies to share data with agencies other than the Department of Homeland Security (DHS).

Feinstein hopes CISA’s 74 votes may help push negotiators to favor the upper chamber’s language. CISA would incentivize companies to go through the DHS or through their regulatory agency.

“I think the vote gives us the opportunity to go in with hopefully a strong hand into the conference and enable us to come out without weakening the privacy provisions,” Feinstein told reporters Tuesday night.

With two bills, the House’s sharing process is less clear. But both measures also passed with robust support — over 300 votes each.

Others with knowledge of the discussions floated the idea that negotiators would more broadly default to the Senate’s language for expediency, since it is a single bill.

Regardless, it’s a process that will likely stretch on for months, at least until after the new year, Burr guessed.

“Now the work begins as we go to conference,” Burr said on the floor Tuesday.

“We’ve got a long debate ahead of us,” Wyden vowed.