WASHINGTON House lawmakers approved two bills this week to foster greater information sharing between the private sector and government about cyber threats and all eyes now turn to the Senate to see if legislation can finally be enacted.
The House approved the Protecting Cyber Networks Act late Wednesday by a vote of 307 to 116 and the National Cybersecurity Protection Advancement Act on Thursday 355 to 63.
The two measures both seek to encourage greater sharing of information on potential attacks by granting companies liability protections on at least some of the data they provide, but differ somewhat on how the information would be shared and how privacy rights would be upheld. Both measures passed despite inclusion of an 11th-hour amendment opposed by many in the financial industry that would sunset the standards after seven years.
Hope for supporters of new information-sharing standards now rests with the Senate. Leaders have indicated the Senate could move forward on its own bipartisan bill in coming weeks, which is backed by many in the banking industry.
"As is often true, the House is out front. The House has passed cyber bills every year since 2012 almost always in April and they frequently pass four or five bills," said Nathan Taylor, a partner at Morrison Foerster. "What really matters is the Senate."
The Intelligence Committee approved the Cybersecurity Information Sharing Act nearly unanimously last month, but the legislation has yet to move to the chamber floor. The bill is similar to a measure the panel advanced last year, which failed to receive a vote by the full Senate.
Those watching this issue say they'd like to see Majority Leader Mitch McConnell move on the legislation before Memorial Day. That could prove difficult as competing priorities including a vote on the Iran nuclear deal and a possible budget agreement are potentially crowding the field. The key would be to advance legislation in both chambers so that the Senate and the House can try to work out a final deal before all of the focus turns to the 2016 elections.
But the issue has already won bipartisan support, and the White House has repeatedly urged Congress to pass an information-sharing bill. The Obama administration said it would not veto the House bills debated this week, though it urged further changes to the liability protection and privacy provisions in the legislation. High-profile data breaches continue to dominate headlines, providing some momentum for the move to get legislation over the finish line.
"The immense amount of cyber incidents we've seen over the last year has shown us that there's a strong need for legislation," said Anne Brady Perron, an executive vice president at Crossroads Strategies.
The stakes around some recent breaches are also heightened, such as attacks at several health-care providers earlier this year.
"The Anthem and Premera breaches are potentially much more devastating than a Target breach, because payment information has a shelf life and fraud is reversible and you can change your credit card," said Scott Vernick, a partner at Fox Rothschild. "It's much more difficult to change your social security number or health information the financial consequences are potentially much more devastating."
Crucially, the Senate intelligence panel opted for a bipartisan approach on information sharing again this year, despite the change in party control. The panel's ranking member, Sen. Diane Feinstein, D-Calif., could help bring along several key votes that would be essential for getting the legislation passed without the threat of a filibuster.
"The fact that the Senate Intelligence Committee worked closely with Feinstein this year is huge," said Taylor. "There was a shift in Senate control, but the Republicans recognized what Feinstein has put into this over the past two years and treated her as a partner. When you start doing the math, I think Feinstein is the x-factor that could get the bill through the Senate."
Fortunately, observers said, the starting texts in both the House and Senate are relatively similar this time around, which should at least give lawmakers a common framework should they reach the point of bicameral negotiations.
"They are definitely not worlds apart," said Karl Schimmeck, managing director of financial services operations at the Securities Industry and Financial Markets Association.
Still, the devil as is so often the case in this town resides in the details, some warned. The three bills differ somewhat in their approaches, including which agencies would collect and disseminate the information, how the government could use the data and what privacy protections would be required for consumers.
Other hurdles also remain as the process grinds forward. The financial industry and broader business community are likely to be watching the Senate amendment process closely should CISA get some time on the floor. One issue that lawmakers in the two chambers will have to work out is whether to retain some kind of sunset provision in final language.
"It's unfortunate that the last two days have been dominated by controversy over this sunset amendment, because we're pleased that the House has acted and that the Senate appears close to acting and that the White House seems to be constructively engaged," said Dave Oxner, managing director of federal government relations at SIFMA, who said he remains "cautiously optimistic" about the process.
But Oxner added that the sunset provision is still "a very troubling development," warning that the group would "really have to consider whether the bill is workable" if the Senate retained a similar cutoff.
Another potential obstacle could center around efforts to insert language during the amendment process on crafting a national breach notification standard or improving data security requirements separate but related issues around how to deal with cyberattacks.
House and Senate lawmakers are also working on provisions to address those concerns this Congress, though so far they have not been merged with the information-sharing push. Observers said the odds that such measures would make it into a final bill were low, but any move in that direction could potentially slow down or complicate the process.
"There's a desire to enact cyber legislation and an effort to enact data security and you don't want one to bring down the other, but you want to find a way to get them both done," said one financial industry source, who spoke on the condition of anonymity.