What's Behind Delay of Info-Sharing Vote?Obama First Wants Vote on Bill to Stop NSA Bulk Collection
Legislation before Congress to encourage the sharing of cyberthreat information between businesses and government won't come up for a vote until lawmakers act on a measure that would end the National Security Agency's bulk collection program, says Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper.
The bill curtailing the bulk collection program, known as the USA Freedom Act, also would make changes to several federal laws that authorize secret courts created by the Federal Intelligence Surveillance Act and extend by two years, until 2017, provisions of the USA Patriot Act, the law enacted after the Sept. 11 terrorist attacks that enhanced domestic security against terrorism and surveillance procedures. FISA courts oversee requests for surveillance warrants, usually by the FBI or NSA, against suspected foreign intelligence agents inside the United States.
The Senate version of the USA Freedom Act would curtail the NSA from collecting metadata on communications of Americans, a practice that came to light last year with revelations from former NSA contractor Edward Snowden. Attorney General Eric Holder and Director of National Intelligence James Clapper expressed support for the reforms to bulk collection of information on Americans.
"The administration says that before we move information sharing legislation, what Congress should first do is reauthorize the FISA court," Carper, D-Del., says, referring to the USA Freedom Act.
Carper, whose committee has federal government IT security oversight, says panel members have been discussing with privacy advocacy groups as well as the NSA ways to tweak to the USA Freedom Act to safeguard individuals' privacy. "Right now, we're having a robust conversation, trying to figure out, do we really have to re-authorize the FISA courts before we can do information sharing or not?" Carper asks. "I'm not sure ... if we can do both of those bills this year ... but I would hope so."
Other Reasons for Delay
But other factors continue to stall a vote on the Cybersecurity Information Sharing Act, the bill that passed the Senate Intelligence Committee in July on a secret vote (see Senate Panel OK's Cyberthreat Info Sharing Bill).
Privacy advocates have criticized the Senate measure and a similar bill that passed the House because they contend the legislation favors the automatic and simultaneous transfer of cybersecurity information to American intelligence agencies, including the NSA. Privacy groups also says the Senate version would allow the government to use shared cyberthreat information to not just protect vital IT but to aid in criminal investigations and prosecutions, which the advocates say should be beyond the scope of the measure.
Some privacy groups had hoped other committees that they believe would be more sympathetic to their cause, including Homeland Security and Governmental Affairs, would hold hearings on the bill, but Carper never scheduled hearings on information-sharing legislation.
Instead, Carper tells Information Security Media Group that members of the Homeland Security and Governmental Affairs Committee have held informal discussions about the bill with their counterparts on the Intelligence Committee regarding the cyberthreat information sharing bill, but he declines to provide details on those discussions, including changes to the measure he seeks.
Sen. Tom Carper discusses cyberthreat information sharing bill before the Senate.
The Obama administration has yet to take a stand on the Senate cyberthreat sharing bill. "Given some issues that the privacy community has raised, we need to take that into account as we ... work on the bill," a senior administration official says (see Why White House Hasn't Backed CISA).
Another Bill Awaits FISA Action
The sponsor of the USA Freedom Act, Senate Judiciary Chairman Patrick Leahy, D-Vt., isn't moving forward with another cybersecurity bill he's sponsoring, a measure to create national requirements for data breach notification, until the Senate votes on the FISA court reauthorization (see U.S. Data Breach Notification Law Unlikely in 2014). "There's limited floor time, and the Judiciary chairman has to pick his spot," says Peter Swire, senior fellow at the Future of Privacy Forum, a Washington think tank.
Whether Congress votes on any cybersecurity legislation before it adjourns could depend on which political party gains control of the Senate in next month's election. Republicans are expected to retain control of the House, and some pollsters predict the GOP also will seize control of the Senate from the current Democratic majority.
If history serves as a guide, Carper says, no significant vote on cybersecurity legislation would likely occur in a lame-duck session should Republicans control the majority of seats in both the House and Senate in the next Congress. Carper explains that Republicans might want to wait until they have a majority in 2015 to address major bills.
Hope for Votes
But Carper says the Republicans might support votes this year on cybersecurity legislation supported by both parties should the GOP win control of the Senate in November just to "get them off the table" and begin their legislative rein next year with a clean slate.
Those bills, which won bipartisan support in the committee, include the Federal Information Security Modernization Act, a measure to update the law that governs federal government IT security known as FISMA; the National Cybersecurity and Communications Integration Center Act, which aims to strengthen the Department of Homeland Security's cyber operations unit; and an amendment to the Homeland Security Act, which would allow the DHS secretary to raise salaries to attract cybersecurity employees to the department. Legislation to attract cybersecurity talent has passed the Senate as a rider to a bill setting pay for border patrol agents (see Senate Passes Cybersecurity Skills Shortage Bill).
Assessing Obama's Cybersecurity Leadership
Carper credits the Obama administration for its unified voice for lobbying, albeit unsuccessfully, to get significant cybersecurity legislation enacted in the 112th Congress (2011-2012). "I don't fault them; they worked pretty effectively as a team," Carper says. "They didn't have the FBI saying one thing, DHS and the National Security Agency saying something else."
With no prospect of quick passage of significant cybersecurity legislation as the current 113th Congress convened in early 2013, Carper lauds the president for directing the National Institute of Standards and Technology to develop the cybersecurity framework, a guide for critical infrastructure operators to create a secure computing environment. Announced by President Obama in February 2013, NIST issued the framework a year later (see NIST Releases Cybersecurity Framework). "It's not the whole kit and caboodle, but it's part of what needed to be done; most people would say it was well done," Carper says.
In an audio excerpt of the interview, published on Oct. 21, Carper describes how it took him a year to build trust with the ranking Republican on his committee - Tom Coburn, an Oklahoma physician - to produce the Senate bills that cleared his committee earlier this year (see How Tom Carper Sees FISMA Bill Passing). "If I had been a better chairman of Homeland Security in, maybe, my first year, and had a chance to work even more closely with Dr. Coburn in my first year, I think we would have made more progress," Carper says. "I think I've gotten to be a better chairman. I hope I'm better."