Some people are calling this week a Cyber Legislation Week. As the entire cybersecurity industry starts making its annual pilgrimage to the foggy city on the bay where they will spend several days inside a conference hall talking about or listening to nothing but information security, our elected officials on the other side of the country will attempt to capitalize on all of that RSA conference excitement by moving forward on several pieces of legislation on cybersecurity.
This isn’t the first time these issues have come before Congress, but most previous efforts have failed. Last year’s cybersecurity legislation never made it to the floor for a vote, and the Patent Transparency and Improvements Act and the USA Freedom Act died in Senate. At the time, it was thought that this Congress would not revisit these issues, but the recent Sony attack and the President’s Executive Orders have changed all that.
During cybersecurity legislation week, in addition to the return of the old issues, we will see challenges to the FCC’s new Net Neutrality rules. The FCC rules were officially published this week, opening the door for lawsuits to be filed.
First up this week is patent reform, with a House hearing on H.R. 9, the Innovation Act. Look for a Senate version to be introduced later this week. The goal here is to limit patent trolls and to prevent them from basically extorting money from companies, while at the same time protecting new inventions.
Cybersecurity Information Sharing Act
But the big elephant in the room that has people concerned on all sides is the Cybersecurity Information Sharing Act or CISA. The bill was first introduced last year and on the surface, it sounds like a great idea. It should make it easier for private companies to share threat and attack data with the federal government, who could then gather everything in one place to look for potential correlations before sharing those findings back out with private companies, making everyone a little more secure. Privacy advocates felt the original bill went a little too far and further increased the reach of the US intelligence gathering capabilities. When the White House objected to the bill and threatened not to sign it, the bill died and never saw a vote.
But now, in the aftermath of the breaches at Target, Home Depot and of course Sony, CISA has returned. It has already passed the Senate Intelligence Committee and a similar bill made it through the House Intelligence Committee last month. The White House has responded well to the new version although some privacy advocates are still concerned. The Homeland Security panel released its version of CISA on Monday this week and plans to hold a markup of the bill on Tuesday. If the Homeland Security and Intelligence bills are combined by the Rules Committee before they head to the floor, the final bill could end up looking drastically different from what was originally planned for this bill. A floor vote is scheduled on the Senate version for the middle of RSA week, sometime between April 21st and 23rd.
National data security and breach notification
On Wednesday this week, the House Energy and Commerce Committee will markeup their bill to create a national data security and breach notification standard. If passed, this bill would supersede the various individual state breach notification bills. This has some opponents worried because several state breach notifications have much stronger consumer protections than this federal version.
With the cybersecurity issue likely to be wrapped up in the next few weeks one way or the other, some legislators will likely turn back to NSA reform. With Section 215 of the Patriot Act due to expire on June 1st, there may be some legislative movement on this issue. John Oliver’s interview with Edward Snowden has only helped to further ignite discussion on the issue of surveillance reform.
More to come
Between the legislative happenings in Washington, DC and almost the entire security industry convening in San Francisco next week, the cybersecurity arena will be a busy one over the next two weeks. Watch this space for more news as it breaks.
See my follow up blog for results of the week's activities.