Top Senate Democrats Target September for Cybersecurity Vote
Cybersecurity is a legislative priority for Senate Majority Leader Harry Reid, D-Nev., his spokeswoman said. He and Senate committee chairmen hope to introduce and vote on a comprehensive bill this September, Senate staffers said. Challenges remain, including working out differences between two major bills by Sens. Jay Rockefeller, D-W.Va., and Joseph Lieberman, I-Conn., and getting approval from Republicans and the House, said Senate and industry officials. Negotiations over the next three to four weeks will be critical, said an aide.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"Reid is committed to bringing the bill up as soon as it’s ready,” the spokeswoman for the majority leader said Fri. “The goal is a comprehensive bill, so everything is on the table at this point. We are moving quickly to identify the most pressing needs and most promising proposals so we can bring a bill to the floor that will equip the federal government with the tools and authorities it needs to confront this urgent threat."
Reid and six committee chairmen previewed the approach in a letter July 1 to President Barack Obama. “We recognize that we face a critically important challenge in balancing the need for a secure, efficient, and resilient digital environment with the imperative of maintaining civil liberties, open commerce, and individual privacy,” they wrote. “Our Committees have already developed a number of well-considered proposals to achieve this balance, and our intent is to build upon this work in our comprehensive legislation."
In addition to Reid, the letter was signed by Sens. Rockefeller, Lieberman, Patrick Leahy, D-Vt., Carl Levin, D-Mich., John Kerry, D-Mass., and Dianne Feinstein, D-Calif. Respectively, they are chairmen of the committees on Commerce, Homeland Security, Judiciary, Armed Services, Foreign Relations and Intelligence. For about a year, Reid and the chairmen have had meetings about cybersecurity legislation, including one a month ago, and another is expected soon, said a Senate aide.
The senators “are looking at a variety of bills” to integrate, the Reid spokeswoman said. Proposals under consideration include the Rockefeller (S-773) and Lieberman (S-3480) bills, Leahy’s data security bill (S-1490), Feinstein’s data breach notification bill (S-139), Kerry’s bill to create a cybersecurity coordinator in the State Department, and cybercrime legislation (S-3155) by Sen. Kirsten Gillibrand, D-N.Y., she said. Senators also want to incorporate recommendations from the administration, private sector, and others, she said.
Overlapping bills by Rockefeller and Lieberman are the key ingredients of the package, and negotiations are focused on working out their differences, Senate aides said. Both bills have been approved by their sponsors’ committees. A key difference is how they go about protecting critical infrastructure, said an aide.
Senate Republicans so far haven’t been involved in negotiations on the comprehensive package, though many of the bills have Republican cosponsors, Senate aides said. One aide expects discussions with the minority later. Both parties support cybersecurity legislation, but some said the November election and other political dynamics could lead to Republican opposition.
The path through the House is not as clear, Hill aides said. The House has already passed a few cybersecurity bills, including legislation to promote research and development, revamp the Federal Information Security Management Act and establish a White House advisor on cybersecurity. A Senate aide said it might be possible to conference a bill melting those into the larger Senate bill, and then send the package back to the House for a vote. Knowing how tough it is to get anything done in the Senate, the House may be receptive, predicted another Senate aide.
Hill staffers said they were unaware of any similar efforts in the House to draft comprehensive legislation. House Homeland Security Committee Chairman Bennie Thompson, D-Miss., is drafting cybersecurity legislation, his spokeswoman said. She didn’t say what it contains.
Meanwhile, a House bill modeled on the Lieberman legislation by Reps. Jane Harman, D-Calif., and Peter King, R-N.Y., is stuck in a jurisdictional mire, said a House staffer. According to the Library of Congress, the bill (HR-5548) was referred to committees on Oversight, with secondary referrals to Homeland Security, Armed Services, Judiciary, Education and Labor, and the Permanent Select Committee on Intelligence, “for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned."
Thompson’s bill may be a response to the Harman bill’s situation, which was introduced a day after the Senate Homeland Security Committee marked up Lieberman’s, a telecom industry official said. House Homeland Security Committee Chairman Bennie Thompson, “blew gaskets” because Harman’s bill ended up referred to another House committee, the industry official said.
Thompson plans to introduce his cybersecurity legislation by August and seems willing to get involved with the interested parties to think about what is needed, the official said.
Rockefeller v. Lieberman?
There are five major Senate cybersecurity bills, said Melissa Hathaway, who was Obama’s acting senior director for cyberspace for the National Security and Homeland Security Councils last year. The only one not listed by the Reid spokeswoman was S-3538, sponsored by Republican Sens. Kit Bond of Missouri and Orrin Hatch of Utah. All will be melded into the comprehensive bill, she predicted. The Rockefeller, Lieberman and Hatch bills are broader overhauls of cybersecurity and take different approaches, Hathaway said. Rockefeller’s establishes a national cybersecurity center but leaves its location up to the president, she said. It also empowers the National Institute for Standards and Technology to set cybersecurity standards. NIST works with private industry, she said. Lieberman’s bill puts the cybersecurity center at the Department of Homeland Security, while Bond/Hatch leans towards the Department of Defense, she said.
Hathaway did not know if Rockefeller, Lieberman or Hatch would prevail. “All the bills are still being worked on as a team on Capitol Hill,” she said. A final bill will not pass this Congress but in the next, she predicted. Instead Congress will use the annual defense spending bill as a vehicle for cybersecurity reform, Hathaway said. Among the likely reforms will be creation of a White House-based cybersecurity chief confirmed by the Senate, she said.
Industry leaders are focused on the Rockefeller and Lieberman bills, said a telecom industry official. They have the industry’s attention because they either retain or alter the public-private partnership characterizing cybersecurity efforts, the official said: Cybersecurity legislation has “huge” consequences for the industry, and “a lot is at stake."
The telecom industry is more comfortable with Rockefeller’s bill, the industry official said, because it’s less intrusive and less regulatory. Rockefeller’s bill would rely on the telecommunications industry to develop cybersecurity best practices, the official said. It does a better job preserving the public-private partnership that has characterized U.S. cybersecurity efforts after 9/11, the official said. For example, the official cited the Department of Homeland Security’s Critical Infrastructure Partnership Advisory Committee, which coordinates federal infrastructure protection programs with those of the private sector: “When you have a partnership structure you can converse with the government and talk about vulnerabilities and risks and not worry about the penalty for sharing them."
In contrast, Lieberman’s bill “creates a vast new bureaucracy in the DHS,” said the official. It establishes a White House cybersecurity director and a DHS cybersecurity director reporting to DHS. It also creates a national cybersecurity center there. That would undermine the partnership approach meticulously crafted after 9/11, the official said. “At the end of the day the czar makes the final call.” Lieberman’s bill has the veneer of partnership because it doesn’t mandate cybersecurity standards on industry, the official said, but it gives liability limits to companies that do, essentially regulating them.
There also are turf issues at stake between the two bills, said a telecom industry official. Rockefeller’s committee has jurisdiction over the NIST and would entrust it with drafting cybersecurity standards. NIST inspires trust and confidence from the business community because of its reputation for methodical work, the official said. Lieberman’s committee has jurisdiction over DHS and has a vested interest in getting it the significant appropriations over time that it would receive as the go-to agency on cybersecurity, the person said. The senators are both powerful and at loggerheads over the bills, said the official, pointing to the July 1 letter asking Obama to lead on the issue.