By Darryl Drevna
The White House is reviewing, but has not yet approved, a nearly complete draft of cybersecurity legislation that may pass as early as next week. House and Senate negotiators are working to merge three cyber bills that are designed to encourage private companies to share more data on cybersecurity threats with the government. Negotiators are hoping to move compromise legislation through Congress in the coming days and have it ready for President Obama's signature by the end of the year. It appears, however, that final passage is tied to the ongoing appropriations process.
The House and Senate have not entered an official conference on cybersecurity legislation, but unofficial talks have been ongoing since the Senate passed its bill, the Cybersecurity Information Sharing Act (CISA) in October. These talks have amplified in the past few days. In April, the House overwhelmingly passed two cybersecurity bills, the Protecting Cyber Networks Act (H.R.1560) (“PCNA”) and the National Cybersecurity Protection Advancement Act (H.R. 1731) (“NCPAA”). Negotiators intend to have the compromise bill language nearly complete before officially entering a conference committee to expedite the process. Under such a scenario, the House would approve the conference report. The Senate could then attach the bill to an omnibus spending package that is expected to pass by December 16. House Homeland Security Committee chair Michael McCaul (R-TX), however, is opposed to attaching the cybersecurity bill to the omnibus bill, which would fund the federal government through FY 2016. A number of civil libertarians and privacy advocates in Congress also are attempting to include a number of cybersecurity related amendments to the omnibus rather than the cybersecurity bill. These members sent a letter to Congressional leadership (available here) that requested a number of amendments that are concerned with warrantless searches and bulk data collection be added to the omnibus. Rep. Adam Schiff (D-CA), the ranking member of the House Intelligence Committee, said that an agreement on the omnibus package is needed before negotiators can “figure out everything else” for the cybersecurity bill.
Outside of the timing, privacy concerns and how companies would report threats appear to be the main issues remaining for the cybersecurity package. McCaul said that what “portal” companies would use to report cyber threats to the government is being discussed and that his goal is to have the Department of Homeland Security service as the lead civilian portal, rather than an intelligence or law enforcement agency because “you don’t want to share information with somebody that can either prosecute or spy on you.” However, the bill reportedly would authorize the President to designate other portals, which is being criticized as a “loophole” by privacy advocates. A group of 19 civil liberties organizations sent a letter on December 9 to the White House and Congress opposing the bill and this specific provision due to concerns that it will expand government surveillance.