Lawmakers’ enthusiasm for passing a cybersecurity bill will face a major hurdle this summer — National Security Agency (NSA) reform.
By June 1, Congress must reauthorize the sections of the Patriot Act that are the basis for the NSA’s most controversial surveillance programs.
{mosads}Surveillance concerns have taken a back seat to cybersecurity following the dramatic hack on Sony and a subsequent White House cyber push. But many believe NSA reforms are crucial before the centerpiece of the White House’s cybersecurity proposal — cyber information sharing between the public and private sector — can pass Congress.
“I think whenever you talk about cyber information sharing, you’re going to have to address the NSA issue, or, more properly, the privacy issue,” said Alex Manning, who was staff director of the House Homeland Security subcommittee on cybersecurity last Congress.
The White House proposal would put the Department of Homeland Security (DHS) at the center of a program allowing the private sector to share information about cyber threats with government agencies, in exchange for legal liability protection.
Industry groups and intelligence agencies argue information exchange is essential to bolstering the nation’s cyber defenses.
The administration’s DHS-centered plan seeks to respond to privacy concerns about the NSA that derailed past cyber info sharing proposals. During the 2014 lame-duck session, lawmakers’ failure to curb the NSA’s surveillance programs was seen as the death knell for a cyber info-sharing bill.
“I think the politics are you don’t want NSA doing a domestic security role, or if they do it has to be very limited,” said Jim Lewis, a cyber warfare expert at the Center for Strategic and International Studies (CSIS). “And cybersecurity would be very much like domestic surveillance.”
While privacy advocates say putting DHS in charge is a step in the right direction, they argue the measure lacks clear safeguards to prohibit personal information from ultimately migrating to the NSA.
They say only addressing NSA reform first can truly accomplish that goal.
“Instead of calling on Congress to pass information sharing legislation, the president should again call for the passage of effective surveillance reform,” said Robyn Greene, policy counsel for the Open Technology Institute.
Both sides are focused on the June 1 deadline to renew portions of the Patriot Act. The fight over the act and NSA reform could make or break cyber information-sharing efforts.
“It shouldn’t,” Sen. Angus King (I-Maine) told The Hill in an interview. “Come on, are you holding the country hostage here? Let’s deal with the immediate threat.”
King’s ire reflects a bipartisan sense that Congress needs to pass cybersecurity legislation quickly. But that sense of urgency is undercut by a number of obstacles.
The White House cyber proposal cuts across at least four different congressional committees and support for the measure doesn’t split evenly along party lines, giving the bill no obvious path.
“The whole process seems to be somewhat stalled,” said King, who sits on the Senate Intelligence Committee, which backed the most prominent cyber info-sharing bill last Congress. “We’ve got everybody talking about it, but nothing’s really happening.”
On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold this Congress’s first hearing on the topic, perhaps giving the White House initiative some momentum.
Homeland Security ranking member Tom Carper (D-Del.) told The Hill he is considering introducing the White House proposal either by himself, or hopefully with committee Chairman Ron Johnson (R-Wis.).
“My inclination is to ensure that it’s introduced,” he said in an interview. “That doesn’t mean we agree with every piece of it, just to make sure it’s not forgotten.”
Carper wants a bill on the table before the Patriot Act reauthorization efforts start in earnest, probably around April or May.
“We know what didn’t work,” Carper said, referring to 2014’s attempt to tackle surveillance reform first. “So maybe we should try something else.”
Further complicating the issue is a competing cyber info-sharing bill already floating around Congress. Rep. Dutch Ruppersberger (D-Md.), recently reintroduced the more controversial and NSA-focused Cyber Intelligence Sharing and Protection Act (CISPA).
The bill, which passed the House last year before stalling in the Senate, would allow private companies to share cyber threat info directly with the intelligence agency.
“I think we may very well end up with something in the middle,” Rep. Elijah Cummings (D-Md.) told The Hill. “Exactly what that looks like, I’m not sure,”
Cummings, the top Democrat on the House Oversight and Government Reform Committee, supports the White House proposal, but recognizes it can’t pass as written.
King called on Congress to set its own deadline for compromise legislation.
“We ought to have a summit meeting with the committee chairs and leadership and say, ‘Ok boys, you have a week to come back with a consensus bill,’” King told The Hill.
CSIS’s Lewis believes three measures would end up in such a consensus bill: legal protections for companies sharing info with the government; a definition of what constitutes “cybersecurity information”; and limitations on how the government can access and use that information.
The final part is the sticking point for privacy activists — and possibly a cyber info-sharing bill as a whole.
Limits on using that information are inherently “tied to surveillance reform,” said Jessica Herrera-Flanigan, a lobbyist at Monument Policy Group, which represents tech giants like Microsoft.
Until structural changes are made to the NSA’s surveillance authority, limitations written into a bill are unlikely to be completely effective, said OTI’s Greene.
“The administration’s cyber proposal does not do enough to protect privacy,” she said.
But lawmakers insist Congress has to act on cybersecurity, NSA reform or not.
“This is a freight train headed for us,” King said. “Let’s quit it with the excuses.”