White House's Daniel Eyeing CISA Conferencing To 'Fix' Measure
ASPEN, Colorado -- White House Cybersecurity Coordinator Michael Daniel sees the bicameral reconciliation process of the Cybersecurity Information Sharing Act (S-754) as key to fixing the administration’s problems with it. Daniel kicked off the start of the Technology Policy Institute' annual meeting Sunday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“Overall, we would like the Senate to actually pass [CISA] so they can go to conference with the House, and we can fix the remaining issues that we have there,” Daniel told industry executives, FCC commissioners and Capitol Hill staffers. He judged CISA “a pretty good bill” but said the administration has some concerns, not naming them specifically: “There are some things that we would like to fix in it. … The privacy community is right to have concerns but I think that we’ve built in very robust safeguards into the process that is going to be used and I think that we should be able to assuage their concerns.”
The Senate was initially expected to take up CISA before leaving for the monthlong August recess but didn't (see 1508050070). Senators reached a tentative agreement on amendments and plan to vote after the Senate’s return Sept. 8. The White House had mentioned some of those concerns but backed passage of the bill during the final days before the Senate recess. There's no direct House companion to CISA, but the Senate is expected to conference the legislation with the Protecting Cyber Networks Act (HR-1560).
“The committee has been in regular communication with the White House about the bill since approving it 14-1 in March,” a Democratic Senate aide to the Intelligence Committee told us. The aide said the two biggest administration concerns would be addressed through the manager’s amendment process. “Namely, the amendment would limit the bill’s authorization to share cyber threat information to sharing for cybersecurity purposes only and it would remove the ability of law enforcement to use information obtained through the bill for purposes unrelated to cyber crime (specifically by eliminating the authorization to use such information to investigate ‘serious, violent felonies’),” emailed the aide. “We expect that several other privacy issues will be raised via amendments on the Senate floor when the bill is considered. Once the Senate passes a bill, we will have to reconcile the differences with the House legislation. We hope this can be done quickly so the Congress can take this first, much-needed step toward improving cybersecurity.”
Daniel expects cybersecurity problems “to appear to get worse" before they get better but is “optimistic” about the embrace of cybersecurity policy questions among companies and the Obama administration, he said during a conversation with Sidley Austin data security and privacy attorney Alan Raul. “I’d say the metrics are actually looking worse because we’re finding things,” Daniel said. The National Institute of Standards and Technology's Cybersecurity Framework “is being widely used around the world,” he said. These mounting challenges are reflected in cybersecurity playing a “greater and greater” part of President Barack Obama’s daily brief, Daniel said: “It’s something that’s pervasive across the upper echelons of government. … You can really feel the difference.” Administration officials have developed “an entire way to raise issues” to reach attention of “senior” officials over the course of the past year, he said. Daniel’s job is also “more complicated” in trying to marshal the various agencies that vie for cyber involvement, he said, describing challenges of fitting people inside meeting rooms due to the heavy interest. Some smart companies “treat it as an element of risk management,” Daniel said. “It’s not a risk you can drive to zero.”
“The emergence of the Internet of Things has made the challenge of cybersecurity exponentially more difficult,” with “more threat vectors,” Daniel said, saying there are bright sides given how nascent the protocols are for IoT.
Cybersecurity has created international strains, Daniel calling it “a source of tension in our bilateral relationship” with China. The U.S. will engage in a “whole continuum of activities” in retaliating against other countries in cyberspace, he said. “It’s hard to imagine a situation in which we always say what we have done,” Daniel said, saying “sometimes we will make attribution” and “sometimes we will not.” U.S. successes “happen in the dark” and are “unnoticed,” but successes do happen, he said, citing how networks have adapted to the challenge within the Pentagon and government’s access to cybersecurity talent.
“It’s actually a good thing” that Congress takes so long to work through the issues, Daniel said. “The potential for unintended consequences here is quite large.”