Second time's a charm for CISPA bill
Six months after a US cybersecurity bill died in the Senate, some Obama administration officials and lawmakers are optimistic they can get a new law passed amid heightened public awareness of hacking attacks and cyber espionage.
With top intelligence officials warning that cyber attacks have replaced terrorism as the leading threat against the United States, the White House and lawmakers have spent months discussing how to improve the flow of information between the government and the private sector.
A second go-around for the Cyber Intelligence Sharing and Protection Act (CISPA) was approved by the Republican-controlled House of Representatives in a bipartisan vote on April 18, though the White House has again threatened to veto the bill unless more protections for privacy and civil liberties are added.
Still, senior Obama administration officials say behind-the-scenes talks with lawmakers this time around are constant, more serious and more productive.
"I actually think that the outlook is significantly better than it was last year," the White House cybersecurity policy coordinator, Michael Daniel, told the Reuters Cybersecurity Summit in Washington this week. "What has impressed me has been the willingness of everybody involved to actually continue having those discussions and to continue that extensive level of dialogue trying to find some solutions."
While Daniel cautioned that it is never easy to get the divided House and Senate to agree to anything, he predicted that final cyber legislation might be seen by the fall.
"A lot of us are concerned about getting a good piece of cybersecurity legislation before something really bad happens. As a general rule, legislation that is produced immediately after a crisis is not as good as the stuff that can be done when it's more thought-out," he said.
Last year, the Senate failed to pass a comprehensive cybersecurity bill that combined information-sharing provisions similar to those in the current CISPA with voluntary cybersecurity standards for businesses that control critical US infrastructure.
Since then, President Barack Obama has signed an executive order that directs government officials to set voluntary standards to reduce cybersecurity risk and offer incentives to private companies to adopt them.
A series of high-profile cyber attacks - such as repeated disruptions of the online banking sites of major US banks, or markets plunging on a fake message on the AP Twitter feed about a White House bombing that never happened - have built momentum behind cyber legislation.
The Senate does not plan to vote on CISPA, but is expected instead to take up its own cyber-related bills. On Wednesday, Senate Intelligence Committee Chairman Dianne Feinstein, a California Democrat, said her panel was drafting a version of an information-sharing bill.
Congressional aides said staff and lawmakers from both sides of the aisle are constantly meeting on the issue. One Senate aide said it was a collaborative process to agree on multiple key elements to make the overall law stronger.
Representative Mike Rogers, chairman of the House intelligence committee and CISPA co-author, said key senators including Feinstein were "completely all in" on the need to pass a cybersecurity law. The Michigan Republican predicted that House and Senate lawmakers could work out an agreement on at least an information-sharing bill.
"I think we're finally coming to the consensus here that hey, let's pass what we can pass and take another bite. This isn't the end-all cure-all," Rogers told the summit.
He said a meeting was scheduled this week - with more to come - between the House and the Senate to discuss in detail the elements of cyber legislation and see where compromise could be reached, without starting completely from scratch.
Rogers predicted that if a bill could pass through both houses of Congress, Obama would sign it despite the veto threat.
Top administration officials have underscored the urgent need for laws that would complement Obama's executive order and help ensure the government and the private sector are on the same page when it comes to threats posed to critical US infrastructure.
Homeland Security Secretary Janet Napolitano said many lawmakers received classified briefings last year on cyber threats, and better education on cyber risks means "we're starting from a much better base" on legislation.
"There's a lot of work going on behind the scenes," Napolitano told the summit. "There are many fewer concerns than there were last time around."
But officials acknowledge that hurdles remain. For example, some senators, like Homeland Security Committee Chairman Tom Carper, prefer a more comprehensive bill.
"While information sharing is an important part of our efforts, it is only one of many elements needed to properly bolster our cyber defenses," Carper, a Delaware Democrat, said in a statement.
Other issues he says he would like to address in legislation include protections for critical infrastructure, security of federal agency networks, cyber workforce development and notification of data breaches.
Some private industry security experts were skeptical about the prospects for broad legislation, as well as the effectiveness of such laws in preventing cyber attacks. Shane Shook, chief knowledge officer at cybersecurity services company Cylance Inc, suggested the private sector should organize information sharing itself.
"Comprehensive legislation is never going to happen that can be effective over all 18 sectors," Shook told the summit.
Ira Winkler, president of the Information Systems Security Association, said he was skeptical that any meaningful legislation would pass this year, barring a major cyber attack that damaged US infrastructure.
"We hear about wake-up calls, but people keep hitting the snooze button," he said.