After the finish line on cyber legislation

After the finish line on cyber legislation

No sooner had the Senate passed the Cybersecurity Information Sharing Act than the fight began to shape the final product in negotiations with the House. But the privacy groups, dissenting senators and industry organizations looking to advance their agenda during a conference committee might have to hold their horses for a while: Bill co-sponsor Richard Burr said January is the earliest we might see a finished compromise.

One of the fights over CISA that had been flying under the radar isn’t any longer: Both the Financial Services Roundtable and Securities Industry and Financial Markets Association both made it clear that they dislike a section of the bill added by Sen. Susan Collins and want it stripped during conference. Their fear is that her language would give the Department of Homeland Security a new role in oversight and supervision of the cyber defenses of critical infrastructure firms; for the financial services industry, that would be a duplicative layer, they warn. They also see the language as potentially leading to new regulations.

Collins explained her section of the bill, 407, as requiring “the DHS secretary to conduct an assessment of the fewer than 65 critical infrastructure entities at greatest risk and develop a strategy to mitigate the risks of a catastrophic cyberattack. A staff summary said it would require “DHS and appropriate regulatory entities to assess whether the government receives adequate information from those critical infrastructure entities whose failure due to cyberattacks would cause catastrophic consequences.” Collins’ floor speech:

A common theme among CISA supporters after Tuesday’s vote was that this is just the Senate’s first step on cybersecurity. Once a conference bill is adopted, bill co-sponsor Dianne Feinstein told reporters, the Senate should turn its attention to protecting critical infrastructure from cyberattacks. “That’s very difficult, but the fact of the matter is, it’s only a question of time before some adversary takes out a water system or a Pacific Gas and Electric system or, God forbid, an airplane or a control system,” Feinstein said, “so the critical infrastructure of this country is going to need some more protection.”

Sen. John McCain struck a similar chord, noting warnings from U.S. Cyber Command Chief Adm. Michael Rogers that it’s “only a matter of time” before U.S. adversaries strike the nation’s critical infrastructure. “This is a first step of many steps that need to be taken,” McCain said, “but it is a most important step because it will lay the predicate for future legislation.” And earlier Tuesday, Senate Minority Leader Harry Reid blasted Republicans for blocking comprehensive cybersecurity legislation three years ago, saying CISA is “far too weak” and more is needed: “To not move forward with more comprehensive cybersecurity legislation will be considered legislative malpractice.”