With CISPA's Passage, What Next?Despite Veto Threat, Cybersecurity Lawmaking Moves Forward
House passage of the Cyber Intelligence Sharing and Protection Act represents a step forward toward a goal of nearly every lawmaker - Democratic and Republican: creating a mechanism for government and businesses to share information on cybersecurity threats.
That's been the bipartisan nature of Congress' cybersecurity legislation debate, understanding the need for the government to act to protect vital networks in and out of government.
Quite frankly, we are running out of time. ... This bill is a good step, but it's only a first step.
Indeed, the House this week also passed three less controversial cybersecurity bills that head to the Senate. The Federal Information Security Amendments Act, approved by a voice vote, would update the Federal Information Security Management Act that governs federal government IT security. On another voice vote, representatives reauthorized the Networking and Information Technology Research and Development program that develops unclassified ways to protect information systems. By a 395-10 vote, the House approved the Cybersecurity Enhancement Act of 2011 to authorize research and education. That measure also would have the National Science Foundation and the National Institute of Standards and Technology develop IT security standards.
Still, the fate of cybersecurity legislation making it to President Obama's desk this year is far from guaranteed. Although 42 Democrats joined 206 Republicans voting for CISPA - 140 Democrats and 28 Republicans opposed it - a fundamental partisan divide exists that could prevent enactment of a cybersecurity law this year.
The main division deals with regulation. Sponsors of CISPA, as the bill is known, never intended to address IT security standards for the nation's critical IT infrastructure in the measure. Unlike the Senate, with its more comprehensive Cybersecurity Act of 2012, House Republican leaders approached IT security lawmaking through a series of narrowly focused bills, and CISPA is a product of the House Intelligence Committee, which concentrates on the flow of intelligence. Still, one of the reasons President Obama has threatened to veto CISPA is the lack of IT security standards (see Obama Threatens to Veto Cybersecurity Bill).
Republicans, for the most part, oppose any type of regulation, even the somewhat limited approach backed by Obama and sponsors of the Senate Cybersecurity Act, in which the government and business work together to develop IT security standards for industry to follow. Finding enough GOP support to win passage of a bill that promotes any form of regulation remains a big challenge to surmount.
The other issues surrounding CISPA are privacy and civil liberties. Opponents to CISPA contend the bill doesn't do enough to protect the privacy of individuals, a position with which the bill's sponsors disagree. Amendments approved by the House before the final vote on April 26 tightened privacy protections, but not to the satisfaction of groups such as the American Civil Liberties Union and the Center for Democracy and Technology. And, the Obama administration cited the lack of privacy and civil liberties protection as another reason for the veto threat.
Do the objections to the lack of regulations and privacy and civil liberties protections, along with a veto threat, signify the death of a bill to encourage information sharing? Probably not. Lawmakers understand the threats facing American IT systems and the need for information sharing to battle those threats. CISPA, as passed by the House, won't become law, but that doesn't mean some type of cybersecurity legislation won't eventually arrive in the Oval Office - or the Rose Garden, if it's a balmy day - for President Obama's signature.
The Senate sponsors of the Cybersecurity Act - Joseph Lieberman, ID-Conn.; Susan Collins, R-Maine; Jay Rockefeller, D-W.Va.; and Dianne Feinstein, D-Calif. - issued a statement lamenting CISPA's lack of infrastructure protection, but suggested compromise legislation could emanate from a Senate-House conference to "produce legislation that secures the most critical systems on which all American people and businesses depend each day."
Rep. Mac Thornberry of Texas, who heads the House GOP Cybersecurity Task Force, also said he's seeking compromise: "This issue is too important to let attempts to find the perfect bill prevent us from taking good, significant steps in the right direction. There is much that everyone agrees on. We should at least do those things and agree to continue to work on issues where we may have differences."
It's a point also made by Rep. Jim Langevin, the Rhode Islander and House Cybersecurity Caucus co-chairman, who was among the few dozen Democrats to vote for CISPA:
"While I don't believe that this legislation is perfect, and much work remains to be done, CISPA represents an important good-faith effort to come together as a necessary first step towards better cybersecurity for our nation."
Langevin believes in stronger privacy and civil liberties protections and a role for government in defining how best to protect privately controlled information networks critical to the functioning of America's society and economy than CISPA offers. But addressing those issues can wait for another day.
"Quite frankly, we are running out of time," Langevin said during the House debate. "I believe it's important that we act now to begin our legislative response to this critical issue. We all know how dependent we are on the Internet and how we use it so much in our daily lives ... This bill is a good step, but it's only a first step.
"Now it is up to the Senate to act. This issue is too important to let attempts to find the perfect bill prevent us from taking good, significant steps in the right direction. There is much that everyone agrees on. We should at least do those things and agree to continue to work on issues where we may have differences. Our country's security and economy depend on taking action now."