Political and industry wrangling likely will delay cybersecurity reforms
Republicans are set to deliver House Speaker John Boehner proposals for comprehensive cybersecurity legislation early next month, but disagreements over regulating critical infrastructure sectors and partisan friction make it unlikely the House and Senate will agree on a final big bill by year's end, say people familiar with the negotiations.
Within the next week, a House Republican task force is expected to hand Boehner, R-Ohio, recommendations on overhauling computer security laws for a full House vote.
The group "continued its meetings last week, is making good progress on its recommendations, and will meet the speaker's Oct. 3 deadline," said Alison Lynn, spokeswoman for Rep. Mac Thornberry, R-Texas, who heads the task force.
But on Sept. 23, Rep. Bennie Thompson, ranking member of the Homeland Security Committee, wrote Boehner a letter urging him to move any proposals through the normal committee process, meaning each committee with jurisdiction over cybersecurity would debate their relevant sections before a full floor vote.
"As leaders on an authorizing committee with experience working in a bipartisan manner on cybersecurity, we urge you move any legislative package through the House via regular order," wrote Thompson and co-signer Rep. Yvette Clarke, D-N.Y., ranking Democrat on the panel's Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee.
In addition, the minority leaders urged Boehner to ensure Democrats are involved in negotiations. "We also request your commitment that the Committee on Homeland Security, a panel with an extensive record of oversight on cybersecurity issues, will be afforded the opportunity to work in a bipartisan fashion to produce forthcoming cybersecurity legislation," they wrote.
In June, when Boehner announced the formation of the Republican-only task force, Jim Langevin, D-R.I., co-chairman of the bipartisan cybersecurity caucus, immediately issued a statement condemning Boehner's rejection of two-party cooperation.
The 12-member task force includes many committee chairmen with jurisdiction over cybersecurity matters, including Rep. Daniel E. Lungren, R-Calif., chairman of the Homeland Security Committee's cyber panel.
On Monday, Boehner aides said they did not have any announcements regarding cybersecurity legislation and declined to comment on the minority members' request for bipartisan proceedings.
Democrats said they will rely on strong relationships with their Republican counterparts to influence the final package.
On Monday, Langevin said, although he would prefer passing a comprehensive bipartisan measure, he is "open-minded about any strategy that will allow us to accomplish the most and deal with the most pressing concerns."
"Whatever the process, getting the substance right is my top priority," he added. "What's most important is that we not let this moment slip away." Langevin said he is focused on properly empowering the Homeland Security Department to take on an expanding cyber mission, shoring up federal networks, improving information sharing with the private sector and beginning to establish cyber protections for critical infrastructure.
"Some of the Republicans are perfectly willing to do this in a bipartisan fashion," said James A. Lewis, a cybersecurity specialist at the Center for Strategic and International Studies who has advised lawmakers and the Obama administration on policy matters.
By pressing forward on a legislative agenda, despite intense political battles over deficit reduction and other campaign issues, House Republicans have shown a commitment to cybersecurity. "They are all really serious," Lewis said. "They all really want to get something done."
A remaining sticking point in both chambers is how to protect the nation's critical infrastructure -- power grids, financial services networks and telecommunications -- from a cyberattack. Currently, the Defense Department does not have the legal authority to defend civilian systems, and Homeland Security, which oversees private sector cybersecurity, does not have the power to regulate those systems.
"One common theme is a reluctance to give DHS more authorities," Lewis said. Industries have long lobbied against the federal government telling them how to manage their technology, he said. "How do you get critical infrastructure companies to do something that they may not otherwise do?"
He sees a strong possibility that Congress will enact piecemeal legislation to at least bolster noncontroversial protections that demand immediate attention. For instance, there is wide support for replacing a mishmash of conflicting state laws with one national standard for notifying victims of data breaches, after Sony and Citibank waited weeks to inform customers their personal information had been exposed. And the prospect of a hacker-induced power shutdown could prompt action on energy cybersecurity.
"People have figured out there is some risk," Lewis said. "Some industries don't need a lot of additional regulation," such as the heavily-policed telecommunications and financial sectors, but "the electric sector in particular could use a little bit of improvement."
Meanwhile, it has long been anticipated that the Senate will vote on a sweeping cybersecurity package containing proposals vetted by the various oversight committees. The Judiciary Committee last week passed a computer fraud measure, S.1151, that is considered a candidate for the comprehensive bill.
"Working with Majority Leader [Sen. Harry Reid, D-Nev.] and the Republican leadership, we can ensure that it be part of the comprehensive cybersecurity legislation the Senate considers," Leahy said during a committee session earlier this month.