Why Cybersecurity Legislation Will Likely Come Up Short — Again

WASHINGTON — The threat of cyberattack is an increasingly hot topic in Washington, but political interest alone appears unlikely to provide enough momentum to get cybersecurity legislation supported by banks passed this year.

The issue continues to gain widespread attention in the wake of numerous attacks on banks and other companies in recent years, with some, including former Defense Secretary Leon Panetta, warning about the prospect of a future "cyber-Pearl Harbor" that could cause widespread damage to financial networks, the power grid or other key sites.

But a debate over how much information private companies should share with the government has divided lawmakers and complicated the push for a bill.

"At this stage, despite all of the noise that we're hearing about the threat, I haven't seen the will on the Republican or Democratic side to come to a compromise on some of these issues," said Nathan Taylor, an attorney at Morrison Foerster. "That decreases the likelihood of something passing Congress and getting to the president's desk unless it is really narrowly targeted on areas that are really noncontroversial."

The White House issued an executive order in February that expanded some information sharing provisions and directed the construction of a national cybersecurity framework, but observers have said the effort is not a substitute for legislation.

Cyber experts say that increased information sharing is critical to helping head off future attacks, while privacy advocates warn that making the provisions too lenient could erode consumer protections and individual rights.

For their part, banks are already highly involved in sharing information with their regulators and the industry, but remain hopeful that a formal measure could benefit the economy as a whole.

"The info sharing piece is obviously very important to financial services companies," said Doug Johnson, vice president of risk management policy at the American Bankers Association. "It's not just about information sharing in our sector, which we already do quite well, but trying to ensure that companies outside of our sector and the government really understand what the processes are associated with this, and what kinds of liability protections and civil liberty protections are needed."

Despite increasing interest on the issue from lawmakers and the private sector, however, it's unclear whether there's a viable vehicle in Congress for passing any information sharing provisions after the Senate twice failed last year to pass comprehensive cybersecurity legislation. Beyond the debate over privacy concerns, lawmakers also need to address disagreements over which government agency should head up information sharing efforts and possibly coordinate across multiple committees with jurisdiction on some of these issues.

Efforts this year have fallen short so far. The Cyber Intelligence Sharing and Protection Act, which passed the House in April, was considered dead-on-arrival in the Senate, largely because of concerns among Democrats and the White House that it didn't do enough to protect privacy.

Sen. Dianne Feinstein, D-Calif., chairman of the Senate Intelligence Committee, said last month that her panel is drafting its own bipartisan legislation, but the bill hasn't been introduced yet. A spokesman declined to comment further on the legislative effort.

Other lawmakers, including some in the House, are also said to be possibly renewing their work on the issue, despite CISPA's failure.

"I am confident we are not going to see a bill passed this year called CISPA," said Gerald Ferguson, a partner at Baker Hostetler. "CISPA has become such a lightning rod for criticism from civil liberties groups. The White House and Senate want to do all they can to distance themselves from it. But it's a different question as to whether they can pass an information-sharing bill, and I think there's a good prospect at that."

A key issue for any bill will be how much exposure companies have to potential lawsuits when they share certain information connected to an attack with other entities.

"When it comes to information sharing, there's a lot of disagreement on what the liability protection should be on that information sharing," said Taylor. "Should a company be open to suit for sharing information with the federal government or for sharing cyber-threat information with another private company?"

The issue is particularly poignant for industries such as internet service providers, which could be put into the position of sharing IP addresses and other sensitive information in the wake of an attack — a big concern for privacy advocates. The issue is also key for banks, however, because it would provide more clarity on the issue overall.

"The reality is that because financial services is so highly regulated, financial services are already reporting cyber threats and infrastructure threats to regulators," said Ferguson. "For the financial services industry this can only be a bonus, because when a bank reports an incident there's the risk this is going to lead to liability exposure down the line. To the extent any legal immunity is in place for information sharing when it's done according to certain parameters, that's better for banks."

Ferguson added that there could ultimately be room for compromise on the issue if legislation is crafted in a way that provides limited protection for companies engaged in information sharing.

"I suspect what we're going to see is limited immunity for companies doing information sharing, as long as they don't share too much," said Ferguson. "I'm not sure anything will fully satisfy the vehement advocates of civil liberties, but I think you could draw in more moderate Democrats with that sort of protection. And the argument for conservatives is that's better than no protection."