Export Compliance Daily is a Warren News publication.
Sony Breach Interest

CISPA's Prospects Unchanged With Shift Into 114th Congress

Rep. Dutch Ruppersberger, D-Md., reintroduced the controversial Cyber Intelligence Sharing and Protection Act (CISPA) Friday, but a new year and a new session of Congress hasn’t substantially changed the bill’s prospects for enactment, industry lawyers and lobbyists told us. Ruppersberger cited North Korea’s December data breach at Sony Pictures Entertainment as the impetus for his early reintroduction of the bill, saying in a statement that “we must stop dealing with cyber attacks after the fact.” The version of CISPA for the 114th Congress (HR-234) is a near facsimile of the version the House passed during the 113th Congress (see report in April 19, 2013, issue). The Senate didn’t vote on the Cybersecurity Information Sharing Act (CISA), which was substantially similar to CISPA, before the 113th Congress adjourned in December.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Ruppersberger introduced HR-234 without any co-sponsors, though he had apparently contacted several House Republicans before making the bill public, an industry lobbyist told us. Ruppersberger had introduced the previous two versions of CISPA with then-House Intelligence Committee Chairman Mike Rogers, R-Mich., who retired at the end of the 113th Congress. Ruppersberger decided not to wait for a Republican to sign on to HR-234 before he introduced the bill because he “feels it is too time-sensitive and important to wait,” a Ruppersberger aide said. “We are in the process of lining up support now.” That lack of immediate support from House Intelligence Republicans may be an indication that the caucus isn’t interested in revisiting CISPA, the industry lobbyist said. The lack of co-sponsorship could also be due to the committee still determining its cybersecurity priorities rather than a deliberate snub of HR-234, another industry lobbyist said.

Legislation to improve information sharing is likely to be a top cybersecurity priority for Congress and both houses’ intelligence committees, but it’s unclear how much of a role CISPA specifically will play in the final bill Congress considers, lobbyists said. House Republicans are likely to be less enthusiastic about CISPA given the disclosures about controversial NSA surveillance programs, all of which occurred after the House passed CISPA in April 2013, said Arent Fox Senior Government Relations Director Alex Manning, former staff director for the House Homeland Security Committee’s Cybersecurity Subcommittee. Some of the congressmen who voted for CISPA in 2013 “later regretted” that vote after former NSA contractor Edward Snowden began leaking information about the agency’s surveillance programs that June, Manning said. The NSA leaks “make it less likely that CISPA will even move to the floor,” Manning said. “A lot of members are going to be very wary of voting on any legislation that would arouse the ire of the privacy community. There will be pressure to either not bring it up or to significantly amend it.”

Former FCC Public Safety Bureau Chief Jamie Barnett, a telecom and cybersecurity lawyer at Venable, said CISPA and CISA drew criticism from both parties during the 113th Congress. But CISPA could at least “form the basis” for information sharing legislation during the 114th Congress, he said. “Having both houses in one party’s hands” is likely to increase the prospects of cybersecurity legislation generally, including an information sharing bill.

Leadership changes at House Intelligence also are likely to factor into how much attention Congress pays to CISPA, Barnett said. Ruppersberger was House Intelligence ranking member when the previous two versions of the bill were up for consideration, but he was term-limited out of that role for the 114th Congress. Rep. Devin Nunes, R-Calif., now chairs House Intelligence, and Minority Leader Nancy Pelosi, D-Calif., on Thursday named Rep. Adam Schiff, D-Calif., the new House Intelligence ranking member. Nunes said in a statement that he welcomes Ruppersberger's reintroduction of CISPA, but "I hope to see a variety of proposals that will help us craft the best possible defense against cyberattacks." Ruppersberger is likely to continue to hold considerable influence within House Intelligence, but Schiff has previously been a critic of CISPA and NSA surveillance, Barnett said.

"Many commentators have raised concerns about the civil liberties implications of the information sharing regime” in the version of CISPA that the House passed in the 113th Congress, Schiff said in a statement. “I believe those defects are easily remedied.” Rep. Zoe Lofgren, D-Calif., said in a statement Friday that she believes meaningful cybersecurity legislation is necessary given the Sony data breach, but “CISPA’s astonishingly broad and overly vague information sharing regime does more harm than good when it comes to Americans’ privacy.” Senate Intelligence Chairman Richard Burr, R-N.C., and committee Vice Chairwoman Dianne Feinstein, D-Calif., didn’t comment on whether they're drafting legislation similar to CISPA for Senate consideration.

Privacy issues have grown in urgency” since the NSA surveillance leaks, Harley Geiger, Center for Democracy & Technology advocacy director and senior counsel, said. “Politically we’re in a place where we absolutely should secure our networks, but people want the security without endangering their privacy,” he said. The U.S. government has proven it has a “voracious appetite” for information, and in some cases, hacking, Geiger said.

Cybersecurity is a major issue” due to recent high-profile breaches, and it’s “highly likely that we’ll see action on cyber legislation” this year, Geiger said. The Senate equivalent of CISPA died because of “significant privacy issues,” he said. Those privacy issues are “key” in determining the viability of any cybersecurity bill, Geiger said. Cybersecurity should be governed by a “civilian agency, not by military leadership” like the NSA, he said. Information sharing is a “hugely important component” of cybersecurity legislation, but CDT doesn’t want personal data to wind up in a military agency, Geiger said. He said CISPA didn’t “fix either of those problems” when it was introduced last year, but an amendment was introduced to “reaffirm civilian leadership of cybersecurity efforts for private sector networks.”

The new version of CISPA is also problematic because it provides liability protections for companies that report cyber vulnerabilities to a government entity, Richard Forno, University of Maryland-Baltimore County Cybersecurity Graduate Program director, said. That’s a “glaring get out of jail free card,” he said. CDT believes private network operators should be required to “ensure that the data they disclose to the government actually does pertain to a cyber threat, as opposed to giving broad immunity to companies that disclose anything and everything,” Geiger said.

Comprehensive cybersecurity legislation is generally unlikely to gain traction, but piecemeal bills like a set of four Department of Homeland Security-centric cybersecurity bills enacted in December will continue to have a good chance at passage, Manning said. Congress is likely to consider similar agency-centric legislation aimed at the Department of Defense and other federal agencies that play a federal cybersecurity role, he said. That trend is reflected in the expanding number of committees that are taking an interest in cybersecurity policy, Manning said. That expansion includes the House Commerce Committee’s renewed interest in cybersecurity and the House Oversight Committee’s addition of a cybersecurity subcommittee, he said.

The Sony data breach has spurred cybersecurity interest among many congressional committees with a cybersecurity interest, including a House Foreign Affairs Committee public briefing set for Tuesday on North Korea’s cybersecurity threat. The briefing is to begin at 10 a.m. in 2172 Rayburn. Rep. Bobby Rush, D-N.J., said Friday he plans to reintroduce the Data Accountability and Trust Act, which he and Rep. Joe Barton, R-Tex., co-sponsored in the 113th Congress. The bill would require commercial entities that possess customers’ personal information to implement effective information security policies and procedures, as well as notify consumers and the FTC after data breaches. Manning said he believes the Sony data breach will generate interest in passing a national data breach law.

The Sony data breach is likely to generate continued interest in cybersecurity policy in Congress, but like the 2013 Target data breach and other similar incidents, it’s unlikely to be a “game-changer” in terms of Congress’ direction on cybersecurity policy, Manning said. Any significant data breach “keeps cybersecurity in the public’s mind,” Barnett said. “Other breaches will occur, and in some ways that will provide ample encouragement to Congress to take actions where it can to improve cybersecurity.”

Proponents will use the Sony data breach as the primary justification for any number of cybersecurity bills, including CISPA, Forno said. But HR-234 won’t prevent the next Sony, and “90 percent” of any related legislation on Capitol Hill won’t “meaningfully enhance cybersecurity,” he said. The chief legislative goal from the federal agencies and Congress is to provide for more “information sharing,” even though companies are already doing that, Forno said. There’s no need to “reinvent the wheel,” he said.