Congress Faces Contentious Cyber Proposals When NDAA Conference Kicks Off

Lawmakers face a long list of industry concerns about proposed cybersecurity policies when they start to reconconcile the House and Senate versions of the National Defense Authorization Act.

During a call with reporters Wednesday, Rep. Adam Smith, D-Wash., chairman of the House Armed Services Committee, told reporters discussions have been taking place at the staff level but that scheduling a “big four” meeting has been challenging due to the campaign schedule of Senate Armed Services Chairman James Inhofe, R-Okla. The first meeting of the leaders, along with their ranking members, is tentatively scheduled for Monday, Smith said.

Industry groups, including federal contractor and technology associations have been submitting their feedback on the House and Senate bills in sometimes competing letters to the four lawmakers on issues at the center of cybersecurity policy.

The latest such appeal is an Oct. 20 letter from major business groups of critical infrastructure sectors expressing support for provisions in the House Intelligence Authorization Act that would require the intelligence community to dedicate more resources toward protecting strategic assets in the private sector.

Smith confirmed intelligence authorization bills will be considered as part of the larger conference.

“Improving and standardizing collaborative efforts between the public and private sectors to better inform foreign intelligence collection, analysis, and strategic warning of attacks will help protect [critical] infrastructure as national security assets,” according to the letter, which was sent to leaders of the intelligence committees and signed by the American Bankers Association, the Bank Policy Institute, Edison Electric Institute, USTelecom, and the  U.S. Chamber of Commerce. 

The groups urged support of sections 605 and 606 of the Intelligence Authorization Act as reported out of the House Permanent Select Committee on Intelligence. 

The provisions would require the Director of National Intelligence to “establish a formal process to solicit and compile information needs of covered entities to improve the defenses of such entities against foreign cybersecurity threats,” and “conduct a review of applicable laws, policies, procedures, and resources of the intelligence community that apply to the intelligence community’s understanding of cybersecurity threats to covered entities.” They specifically include accompanying budgetary considerations.

“The Department of Homeland Security and Sector Specific Agencies play important roles and are critical partners with designated critical infrastructure,” reads the letter, “however, they cannot provide the foreign intelligence collection capabilities and analytic capacity of the intelligence community led by the Director of National Intelligence.”

The private sector produces its own cyber threat intelligence, which rivals that produced by the intelligence community. But efforts to establish “bidirectional” information sharing have long floundered even after liability protections were established in a 2015 law to allay industry concerns over privacy and antitrust violations.  

Since its inception, DHS’ Cybersecurity and Infrastructure Security Agency has been running a public-private task force on ways to secure the supply chain of information and communications technology. At an event hosted by the Chamber of Commerce Friday, the industry co-chairs of the group—senior vice presidents of USTelecom and the Information Technology Industry Council—said a report on the group’s work over the last year is coming soon and will include options to consider for mitigating private litigation risks of information sharing from the industry side.

The risks identified are again tied to anti-competitive behavior, in addition to the propagation of false information and breach of confidentiality. The policy options will again include “exploring additional longer term changes in law.”

Release of the task force report is expected Nov. 6, according to an industry spokesperson.   

Editor's note: This article was corrected to show the Senate's NDAA includes its version of the Intelligence Authorization Act but the House's NDAA does not.