When the 113th Congress gavelled into session in January, it promised a renewed focus on cybersecurity legislation. The 112th Congress punted much of its cybersecurity legislation to its successor, and the pressure was on to produce. But despite leadership changes and an increased focus on the issue, passable, effective legislation has not necessarily followed.
Almost weekly, new reports emerge showing the ubiquity of cyber-attacks on U.S. businesses, costing the economy billions of dollars. Recently, the government also accused Chinese hackers of stealing designs for classified military technology. And Washington has responded. The White House issued an executive order on cybersecurity in February. Lobbying reports mentioning the word “cybersecurity” doubled in 2012. Rep. Michael McCaul (R-Texas) — who took over as House Homeland Security Committee chairman — promised to make the issue his “top priority.”
“This Congress, you have different players and people who want to have conversations,” Jessica Herrera-Flanigan, a partner at Monument Policy Group, a lobbying firm representing Boeing Co., Microsoft Corp. and LinkedIn Corp, said in an interview with FedScoop. “The dynamics have changed, and that’s making a difference.”
But while there are more Hill hearings on the issue and a new dialogue between the House and Senate, skepticism remains that strategies have changed or that legislation with a realistic chance of becoming law is getting written.
“We definitely see more legislation moving in some form, but passage you can never tell,” said Herrera-Flanigan, a former staff director for the House Homeland Security Committee.
Leadership change in the House’s Homeland Security Committee led to expectations of a different approach. McCaul ascended as chair, and Rep. Peter Meehan (R-Pa.) replaced outgoing Rep. Daniel Lungren (R-Calif.) as chair of the subcommittee on cybersecurity. In 2012, Lungren failed to push through a cybersecurity bill to assess the cyber threats to critical infrastructures — the electric grid, financial services systems, etc. — and enhance cyber threat information sharing. McCaul vowed to introduce a similar bill with more input from the private sector, hoping to overcome one of the major obstacles that killed Lungren’s bill.
But thus far, McCaul has just reintroduced his Cybersecurity Enhancement Act from the previous Congress and advocated for the Cyber Intelligence Sharing and Protection Act, also reintroduced from the 112th Congress. Both passed the House again, but are likely to languish in the Senate (again) plagued by partisanship and privacy concerns. President Barack Obama has also threatened to veto CISPA. McCaul has indicated his committee has another cybersecurity legislation bill “in development” to delineate the Homeland Security Department’s role in sharing cyber-attack information with private companies.
“I don’t see any creativity and any imagination or any serious legislation coming from the House,” said Peter Toren, a lawyer at Weisbrod Matteis & Copley and who was one of the first federal prosecutors with the Justice Department’s Computer Crime Unit, created in 1992. “If Congress wants to be really serious about it, they have to take a fresh approach to the issue and not simply graft and make changes to the existing law that may or may not be adequate.”
In the 112th Congress, the Senate ignored both the Enhancement Act — intended to bolster cybersecurity research and the government’s cyber workforce — and CISPA, which would allow the public and private sectors to share Internet traffic information. Instead, the upper chamber pursued its own bill, led by Sen. Joe Lieberman (I-Pa.) and Sen. Susan Collins (R-Maine), who are no longer in the top spots on the Homeland Security and Governmental Affairs Committee. Lieberman retired, replaced as chair by Sen. Tom Carper (D-Del.), and Sen. Tom Coburn (R-Okla.) took Collins’ spot as the committee’s ranking member.
“That starts the discussion off fresh in some ways,” Herrera-Flanigan said. Republican leadership also changed on the Senate Commerce Committee, which was part of the cybersecurity push in 2012.
But with guns, immigration and the sequester grinding the Senate’s progress to a halt, the group hasn’t even touched cybersecurity since January. Enter the White House. Obama’s cybersecurity executive action in February allows the government to gather some intelligence on cyber-attacks and cyber threats to privately owned national infrastructure (i.e. utility networks and the banking industry). It was widely viewed as a first step, but could give the Senate an out on making its own legislation.
“The real question in the Senate is, do they need to address the requirements regarding critical infrastructure?” Herrera-Flanigan said. “Is that needed in light of the executive order?”
Though Congress has yet to diverge significantly from its predecessor on specific cybersecurity bills, it might set itself apart by introducing cybersecurity sections into annual legislation like the National Defense Authorization Act and the Appropriations Act.
The 113th Congress could also set itself apart by addressing “hack back.” Currently, private companies are not allowed to make defensive cyber-attacks to counter hackers. Advocates want Congress to allow immunity for corporations fighting back against hackers, or to set guidelines for legal forms of defensive cyber-attacks. So far, the topic has only made it to the Hill in committee testimony, but Herrera-Flanigan expects it to hit the House floor within a year or two. And Toren believes at least it would show a willingness to craft new legislation that acknowledges the current landscape.
“Putting aside some other ethical questions and whether it would be successful,” he said, “[it’s] clearly something Congress needs to consider.”