Congress Likely To Retain Interest in Cybersecurity in 2016, but no Major Legislation Expected
Enactment of the Cybersecurity Act of 2015 is unlikely to reduce Congress' interest in cybersecurity issues during 2016, but it's equally unlikely that Congress will pass similarly major legislation in the coming year due in large part to the uncertain dynamics of the presidential election, cybersecurity stakeholders told us. The Cybersecurity Act was Congress' final version of conference cybersecurity information sharing legislation, after contentious negotiations over whether to favor language from the Senate-passed Cybersecurity Information Sharing Act (S-754) or two House-passed information sharing bills (see 1512160068).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
President Barack Obama signed the Cybersecurity Act this month as part of the FY 2016 omnibus spending bill (see 1512180052), although at least one member of Congress hopes to revisit the legislation next year. “When I return to DC, I'm going to introduce legislation to repeal the unconstitutional cyberspying bill that was enacted with the #omnibus,” Rep. Justin Amash, R-Mich., said on Twitter this week. In a Dec. 17 letter to House lawmakers, Amash called the cybersecurity provisions “the worst anti-privacy legislation since the USA PATRIOT Act.”
Congress spent years debating cybersecurity information sharing legislation before passing it as part of the FY 2016 omnibus, but neither the Senate nor the House is likely to lose interest in other cybersecurity issues in the near future, said Monument Policy Group lobbyist Andrew Howell. “We're seeing cybersecurity issues becoming relevant to a wider range of stakeholders” because of the Office of Personnel Management data breach and other data breaches, he said. “Members of Congress are going to have to get comfortable on these issues on an ongoing basis, whether it's doing a better job of overseeing and protecting government networks or working to ensure public-private partnerships to enhance cybersecurity remain robust. Cybersecurity is always going to be an evolving policy issue.”
Howell and several others cited the Department of Commerce's proposed implementation of the 41-nation Wassenaar Arrangement, which would in part control the export of intrusion software and IP network surveillance systems, as one of the likely cybersecurity issues to pique Congress' interest. Google and the Electronic Frontier Foundation are among U.S. cybersecurity interests that have raised concerns about implementation rules from Commerce's Bureau of Industry and Security being overly broad and potentially punishing legitimate security research (see 1507240054). The “dust-up over Wassenaar is going to be fertile ground for congressional oversight and having a conversation on how we make sure the U.S. remains a leader of global cybersecurity technologies,” Howell said. Commerce and the Department of Homeland Security already are urging possible revisions to U.S. implementation rules for Wassenaar as they relate to cybersecurity products, but a possible revamp is getting resistance in other federal agencies, an industry lobbyist said.
U.S. Wassenaar implementation already figures to be one of the first cybersecurity issues Congress examines in the new year, with the House Oversight Committee's IT Subcommittee planning a Jan. 12 hearing on Wassenaar's cybersecurity implications (see 1512280035). House Homeland Security Committee Chairman Michael McCaul, R-Texas, House Intelligence Committee Chairman Devin Nunes, R-Calif., and more than 120 other members of Congress also jointly sent a letter to National Security Adviser Susan Rice this month raising concerns that BIS' proposed Wassenaar implementation rules could disrupt international trade in products “regularly used for cybersecurity research and defense.”
Wassenaar may be just the first in a series of international cybersecurity issues that Congress focuses on in 2016 as conversations continue about whether a set of international cybersecurity norms is desirable or even possible, Howell said. A U.S. debate on international cybersecurity norms may be necessary because of international pressure on the issue, said Shane Tews, visiting fellow at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy. The controversial World Internet Conference in Wuzhen, China, included substantial discussion about cybersecurity issues within the context of Internet governance (see 1512180049), opening up questions about “how much that comes into play” in U.S. policy discussions, Tews said.
Congressional interest in cybersecurity issues is unlikely to result in passage of any bills of the Cybersecurity Act's magnitude before the start of the 115th Congress in 2017, Tews and others said. “I think the [114th Congress] hit its high-water mark with the Cybersecurity Act,” said Internet Security Alliance President Larry Clinton. “There may be some procedural bills, but that's all we should expect” in 2016. “It's all going to be highly dependent on the election cycle,” Tews said. “These issues may continue to come up in the presidential primaries, but as we've seen with the debate on encryption there aren't many legislators who completely understand these issues. Candidly, I don't think there's the wherewithal in Congress to tackle major cybersecurity issues right now.” Former FCC Public Safety Bureau Chief Jamie Barnett, a Venable cybersecurity and telecom lawyer, said he's also “not optimistic that many things will happen” in the run-up to the election, barring any further major cybersecurity-related disasters.
Progress is more likely in the form of housekeeping measures, particularly oversight of the Cybersecurity Act's implementation, said Norma Krayem, Holland & Knight senior cybersecurity policy adviser. Plans for implementing many of the information sharing provisions in the Cybersecurity Act will be due before the end of March, and that process will include substantial oversight of how those plans deal with the privacy and civil liberties issues that were a hallmark of the years-long debate over information sharing legislation, Krayem said.
The Obama administration also “has a tremendous opportunity” to deal with some outstanding issues on implementing the president's past cybersecurity executive orders before he leaves office, Clinton said. The administration could unilaterally deal with streamlining cybersecurity-related regulations and increase its focus on use of the National Institute of Standards and Technology-facilitated Cybersecurity Framework, Clinton said. Fully realizing the goals of Obama's cybersecurity executive orders may have to wait for the start of the 115th Congress because many members “think they dealt with cybersecurity by passing the Cybersecurity Act,” Clinton said. The start of the 115th Congress could provide a renewed opportunity for Congress to “get its act together” and implement some of the legislative proposals the Obama administration and industry have called for beyond information sharing legislation, he said.