Telecoms Seen Seeking Combination of House, Senate Cybersecurity Info-Sharing Provisions in Conference Bill
Telecom industry stakeholders are likely to favor combining elements from both the Senate-passed Cybersecurity Information Sharing Act (S-754) and the House-passed Protecting Cyber Networks Act (HR-1560) as Congress moves toward a conference on the two bills, industry lawyers and lobbyists told us. The Senate passed S-754 Tuesday, as expected (see 1510270064), voting 74-21 for the bill. The House passed HR-1560 in late April and added the full language of the National Cybersecurity Protection Advancement Act (HR-1731) before sending the bill to the Senate (see 1504300065).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Passage of S-754 came after the Senate voted down six proposed amendments not included in a manager’s amendment to the bill, including five privacy-centric amendments. The Senate also voted 22-73 on an amendment from Sen. Tom Cotton, R-Ark., that would have given S-754's liability protections to companies that share cyberthreat information with the FBI and Secret Service. Senate Intelligence Committee Chairman Richard Burr, R-N.C., and committee Vice Chairwoman Dianne Feinstein, D-Calif., incorporated modified language into their manager’s amendment before passage from Sen. Jeff Flake’s, R-Ariz., sunset amendment that will require Congress to re-evaluate S-754 after 10 years.
Conference negotiations on S-754 and HR-1560 are likely to “move at a very slow pace,” Burr told reporters after Senate passage of S-754. “You saw how difficult it was and how technical this can be.” The highly technical provisions in both HR-1560 and S-754 and a possible shift in the House Intelligence Committee’s leadership are likely to hinder swift conference negotiations, which may not conclude until “after the first of the year,” Burr said. Current House Intelligence Chairman Devin Nunes, R-Calif., is expected to bid to lead the House Ways and Means Committee once current Chairman Paul Ryan, R-Wis., takes over as House speaker. The House Republican conference voted 200-43 Wednesday to nominate Ryan for speaker over Rep. Daniel Webster, R-Fla., all but assuring the House will select Ryan as speaker Thursday.
The Telecommunications Industry Association and many other industry backers of S-754 and HR-1560 pressed for quick congressional action to bring a unified bill to President Barack Obama, but an industry lobbyist also noted private expectations that negotiations will be lengthy. The conference process is still likely to “take less time than it would otherwise,” because the House and Senate have been “working together for some time” on their legislation, said Norma Krayem, Holland & Knight senior cybersecurity policy adviser. Both houses “understand that it’s taken years to get a bill done so it’s better to get this bill done right than to rush,” but there is also a “level of urgency to get the bill completed as soon as humanly possible,” she said.
S-754 and HR-1560 are similar enough to be conferenced, but contain some distinct differences -- particularly in how they would deal with the Department of Homeland Security’s role as the main civilian portal for cybersecurity information sharing, lobbyists said. Both bills codify DHS as the main civilian portal, but S-754 gives companies significantly bigger incentives to share with other federal agencies. The roles DHS, federal intelligence agencies and law enforcement play in information sharing will be a “key component” of conference negotiations, Krayem said. Those issues will be “critical both for the private sector in understanding how the process will work, and certainly also for privacy advocates since that’s key to how a civilian portal would be managed,” Krayem said.
Several industry groups indicated they are still sounding out their members on what provisions from S-754 and HR-1560 they would favor for inclusion in a conference bill. But they indicated there is little industry support for S-754’s provision requiring federal department and agency heads to submit reports to appropriate congressional committees describing “the extent to which each covered [critical infrastructure] entity reports significant intrusions of information systems essential to the operation of critical infrastructure” to DHS and other agencies in a timely manner.
The telecom industry isn’t likely to strongly favor either S-754 or HR-1560 as the dominant contributor to a conference bill, said former FCC Public Safety Bureau Chief David Turetsky, now a cybersecurity and telecom lawyer at Akin Gump. “I don’t think it’s a one versus the other” situation, he said. “The telecom industry in general strongly supported” S-754, with several industry groups doing so publicly during the months of negotiations preceding the Senate’s vote Tuesday, he said. “The goal was to get CISA through the Senate so it could be conferenced and the industry is supportive of passing legislation,” Turetsky said. “Like everybody else, they want a good bill but they also just want a bill.”
Some industry entities may “have a tendency to favor” HR-1560 because it appears to be “clearer on what is expected,” said former FCC Public Safety Bureau Chief Jamie Barnett, a Venable cybersecurity and telecom lawyer. “The liability limitations in that bill are also better for companies, but obviously you have companies on both sides of this issue.” HR-1560’s liability protections are also stronger than those included in S-754, he said.
“There’s stuff to take from both” HR-1560 and S-754, an industry lobbyist said. HR-1560 does contain a “few limitations on sharing personal information” that are likelier to discourage sharing personally identifiable information (PII) with DHS, the lobbyist said. HR-1560 also contains a provision that would sunset that bill after seven years, which in combination with the PII sharing limitations “makes it a little more appealing” than S-754, the lobbyist said. “But on the other side, [S-754] does have advantages in terms of the DHS secondary privacy scrub that made it into the manager’s amendment.”
Sen. Ron Wyden, D-Ore., told reporters that he believes closer-than-expected votes on privacy amendments “give us a lot to work with” in pushing for more privacy protections during the conference. The Senate voted 41-55 against an amendment from Wyden that would have required the removal of PII from cyberthreat data shared by the private sector, and 47-49 against a similar amendment from Sen. Dean Heller, R-Nev. There will also be “plenty of opportunities in the days and weeks ahead” to push for improved privacy protections outside of the conference process, Wyden said Tuesday. “These issues are constantly evolving and showing that the real challenge is to find policies that address both security and liberty.” The privacy protections included in a final conference bill are likely to be the closest watched provisions, though it’s likely the conference will “stick to” the language in the passed versions of S-754 and HR-1560 rather than attempt to re-visit privacy-centric amendments that failed to make the original cut, Krayem said.