The Senate's Cybersecurity Bill Is in Trouble

Significant hurdles remain for the Senate's proposed cybersecurity legislation, which is competing with at least two other issues for a vote before recess.

Majority Whip John Cornyn (National Journal)

After a pair of massive cyberattacks compromised the personal information of more than 22 million people, most of whom work or worked for the government, lawmakers saw an opportunity to push for cybersecurity legislation that has been stuck in Congress for years.

Despite the calls for urgency, passing a bill won't be easy.

The Cybersecurity Information Sharing Act, or CISA, a Senate bill intended to facilitate the exchange of cyberthreat information between the private sector and the government, has been dogged by conflict and concerns about overreach, and is falling prey to partisan fights that have nothing to do with the issue.

Although the plan was to turn to CISA after the highway bill gets a vote, according to multiple Senate sources, senators may instead take up a measure that would defund Planned Parenthood — eating into time the Senate needs to vote on CISA. There's also a possibility that Majority Leader Mitch McConnell will send lawmakers home this week after they vote on a highway funding bill, leaving the cybersecurity bill for the fall.

"I'm sad to say I don't think that's going to happen," Majority Whip John Cornyn said Tuesday about a vote on the CISA bill, according to The Hill. "I think we're just running out of time."

Extra time could help. The cybersecurity bill has numerous political hurdles to clear that may not be easily negotiated during the first week of August, when senators' minds turn to recess. Many senators also hope to have time to propose further amendments to the bill, which may not be possible during a rushed August schedule.

Here's a rundown of the problems facing the cyber bill:

Outstanding privacy concerns

The information-sharing bill has long been opposed by privacy advocates, who say it would effectively broaden the government's powers to spy on Americans.

A letter sent Monday from a coalition of security experts, civil-society organizations, and privacy groups urges President Obama to issue a veto threat, arguing that CISA would result in Americans' private information being shared with the government, and criticizing it for allowing the information gathered from private companies to be used for purposes other than cybersecurity.

"While cybersecurity threats continue to be a significant problem warranting congressional action, CISA goes well beyond authorizing necessary conduct, to authorizing dangerous conduct, and unnecessarily harming privacy," said the Center for Democracy and Technology on its blog Tuesday. "Its broad use permissions suggest that the legislation is as much about surveillance as it is about cybersecurity."

Conflict with House bills

There are currently two bills in the House that complement the Senate's cybersecurity legislation, but reconciling the House bills — and then squaring the result with the Senate version — may prove to be very difficult.

The two House bills originated from different committees: One came from the House Homeland Security Committee, and the other from the House Intelligence Committee. Although they are similar in many ways, they differ on some key points, including on liability protection and privacy provisions.

What's more, neither currently lines up with the legislation under consideration in the Senate, which trades fewer privacy protections for more security provisions.

House Homeland Security Committee Chairman Michael McCaul said last month that the Senate's version of the bill would be dead on arrival in the House, because it could trigger fears of expanded surveillance.

"My concern is that they have an NSA information-sharing component in there that I think would be problematic in many ways in the House," McCaul said at a National Journal event. "I've warned them that if that kind of bill comes back, it's not going to pass, and that's the political reality."

A congressional aide said Tuesday that McCaul has not changed his mind about the current Senate bill, but that he is "supportive of Senate action and is optimistic the House and Senate can come together in conference, if the Senate were to pass their bill, to work out remaining concerns."

Unclear White House support

Although President Obama strongly supports information-sharing legislation, and has proposed his own model bills, the White House has not stated a specific position on Senate cybersecurity bill.

Asked about the bill in June, White House press secretary Josh Earnest did not comment on the proposed legislation, instead pointing to the White House's proposal. "We have pretty aggressively advocated congressional passage of that legislative language," he said.

The administration publicly came out in support of the two House bills in April, but has in the past issued veto threats against an information-sharing bill it said did not go far enough to protect Americans' privacy.

Questions about effectiveness

In addition to raising privacy concerns, some security experts say information-sharing legislation would do little to improve cybersecurity.

The sheer volume of information that would be disseminated under the bill would overwhelm law enforcement and intelligence entities that would have to pick through it, they say, and finding the needle in the haystack would be very difficult.

"CISA does not work. Private industry already has exactly the information sharing the bill proposes, and it doesn't prevent cyber attacks as CISA claims," wrote Robert Graham, a security expert and researcher, on his blog in March, when the bill was introduced. "On the other side, because of the false-positive problem, CISA does far more to invade privacy than even privacy advocates realize, doing a form of mass surveillance."

Sen. Ron Wyden, a Democrat from Oregon and a longtime supporter of digital privacy in the Senate, also said CISA would "have a limited impact on U.S. cybersecurity" in a March statement.

Wyden, the only member of the Senate Intelligence Committee to vote against the bill when it was passed in March, has called CISA a "surveillance bill by another name" and has been active on Twitter with the hashtag #StopCISA, crediting privacy advocates with pressuring Congress not to pass the bill.

If and when CISA goes in front of the Senate — whether it's this month or in the fall — Wyden and his privacy-minded allies will likely marshal a heated opposition to the measure, further complicating its path to the president's desk.