Senate begins to move on cybersecurity

The Senate is beginning to move on cybersecurity legislation, though lawmakers have pared back their ambitions from when sweeping legislation crashed and burned last year.

The Democratic and Republican leaders of the Senate Commerce Committee unveiled draft cybersecurity legislation last Thursday and vowed to hold a vote on the bill by the end of the month.


The bill has bipartisan support, but its focus is far narrower than last year's comprehensive Cybersecurity Act, which was authored by former Sen. Joe Lieberman (I-Conn.) and Sen. Susan CollinsSusan Margaret CollinsSenate confirms Biden's nominee to lead Customs and Border Protection Hillicon Valley — Presented by Connected Commerce Council — Incident reporting language left out of package Language requiring companies to report cyberattacks left out of defense bill MORE (R-Maine). That measure failed twice to secure the 60 votes needed to break a Republican filibuster.

Lawmakers in both chambers and parties agree that Congress must act to protect businesses and vital computer networks from hackers, but they have deadlocked on the question of whether to impose new regulations.

Lieberman's retirement has left the Senate without a clear leader on cybersecurity. Instead of moving a single bill directly to the floor, Senate leaders have said they will move pieces of the legislation through the several committees with jurisdiction.

The Commerce Committee's draft bill would task the National Institute of Standards and Technology (NIST) with developing voluntary cybersecurity standards and best practices for critical infrastructure, such as banks and power plants. The legislation also aims to improve cybersecurity research, education and public awareness.

James Lewis, the director of the technology and public policy program at the Center for Strategic and International Studies, said Commerce panel staffers believe the bill can get through the Senate because it has bipartisan support and a narrowly tailored focus that's largely uncontroversial, unlike last year's sweeping cyber bill.

"It's a bipartisan bill, which they were unable to come up with the last time, and the way they did that is by taking the things that are sort of the mom and pop apple-pie stuff," Lewis said, referring to provisions aimed at boosting cyber research and development, and training of skilled cyber professionals. "

"I think they hope if they can get agreement on this, then that will let them build agreement on harder issues in the future," Lewis said.

Last year, Commerce Committee Chairman Jay Rockfeller (D-W.Va.) and former ranking member Sen. Kay Bailey Hutchison (R-Texas) supported rival cybersecurity bills. Rockefeller backed Lieberman's comprehensive cybersecurity measure, while Hutchison co-authored a bill that would have made it easier for the government and private sector to share information about cyber threats.

President Obama's cybersecurity executive order, which was issued earlier this year, has shifted the debate in Congress. The order was based on the most divisive section in last year's Senate bill, which would have empowered the Department of Homeland Security (DHS) to pressure companies to comply with cybersecurity standards.

Lawmakers are waiting to see how the implementation of the executive order plays out before returning to work on more controversial areas of the cybersecurity battle, such as clarifying DHS' authority on cybersecurity and coming up with incentives for industry to follow cyber standards, according to Lewis.

"The difference is we have the executive order. The game has shifted to the executive bench," Lewis said.

So far, other committees with jurisdiction on cybersecurity have yet to put forward legislation, and it doesn't appear they plan to do so before Congress breaks for the August recess.

Under the leadership of Sens. Tom CarperThomas (Tom) Richard CarperThe Hill's Morning Report - Presented by Uber - New vaccine mandate in NYC; Biden-Putin showdown The Hill's Morning Report - Presented by Uber - Omicron tests vaccines; Bob Dole dies at 98 Overnight Energy & Environment — Presented by ExxonMobil — Dems seek to preserve climate provisions MORE (D-Del.) and Tom CoburnThomas (Tom) Allen CoburnBiden and AOC's reckless spending plans are a threat to the planet NSF funding choice: Move forward or fall behind DHS establishes domestic terror unit within its intelligence office MORE (R-Okla.), the Senate Homeland Security and Governmental Affairs Committee has put cybersecurity on the back burner and focused the bulk of its attention on how to improve efficiency throughout the federal government. The panel did, however, hold a joint hearing with Commerce earlier this year to examine Obama’s executive order.

Observers say Carper and Coburn are taking time to get a lay of the land before introducing legislation.

Despite the lack of action on cybersecurity from the Homeland Security Committee this year, a spokeswoman for the panel said the issue is still on Carper's desk.

"Chairman Carper continues to work with the Commerce Committee, Senator Coburn and others on a comprehensive and bipartisan approach to enhancing our nation's cybersecurity efforts," the spokeswoman said.

Meanwhile, on the Senate Intelligence Committee, leaders Dianne FeinsteinDianne Emiel FeinsteinBiden administration seeks review of Trump-era approval of water pipeline What's that you smell in the Supreme Court? New variant raises questions about air travel mandates MORE (D-Calif.) and Saxby ChamblissClarence (Saxby) Saxby ChamblissFormer Georgia Sen. Max Cleland dies at 79 Effective and profitable climate solutions are within the nation's farms and forests Live coverage: Georgia Senate runoffs MORE (R-Ga.) have been trying to hammer out a measure that's aimed at improving information sharing about cyber threats between industry and government.

The measure would be a counterpart to the House's cyber information sharing bill, the Cyber Intelligence Sharing and Protection Act (CISPA), that passed this spring. The White House threatened to veto the House measure over concerns that it would violate privacy rights and fail to adequately protect critical infrastructure.

CISPA would allow companies to share data about malicious source code and other cyber threats with the government, including the National Security Agency, so they can thwart cyberattacks faster. Privacy advocates argued that the bill would encourage companies to share a larger pool of people's online communications with the government—and give them legal protection for doing so.

But efforts to pass cybersecurity legislation in Congress have been complicated by revelations about the NSA's surveillance programs.

The disclosures about government snooping enabled by former contractor Edward Snowden have stoked privacy fears and reduced public trust in the ability of federal officials to safeguard sensitive information.  

"Snowden has made [passing] anything next to impossible. That's the reality," one technology lobbyist said.