Senator aims to axe important cyber report from own cybersecurity bill

According to tech companies like Apple, Dropbox and Twitter; trade associations like the Business Software Alliance (BSA) and Computer & Communications Industry Association (CCIA); and dozens of leading security experts, including Facebook’s head of cybersecurity Alex Stamos, there is not much about the Cybersecurity Information Sharing Act (CISA) that will meaningfully enhance cybersecurity — at least, not enough to garner their support.

{mosads}However, there are two provisions of CISA that might at least do something positive for cybersecurity. Sen. Richard Burr (R-N.C.), chairman of the Senate Select Committee on Intelligence and the bill’s chief sponsor, wants to gut both of them. He may just succeed at axing one.

First, Burr introduced an amendment (S.Amdt. 2743) to his own bill that, if passed, would remove a critical report. The report would require the Department of Homeland Security (DHS) to “develop a strategy that … ensure[s] that, to the greatest extent feasible, a cyber security incident affecting [a critical infrastructure entity] would no longer reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” This provision is a modified version of a larger effort Sen. Susan Collins (R-Maine) tried to insert earlier, but it has less punch than her original amendment. Nonetheless, it has real value for enhancing our nation’s cybersecurity. It is not only a good idea; it’s important for having a clear and reliable understanding of the state of our cybersecurity, and where significant improvement is needed.

Despite the inherent need to understand the gravest of vulnerabilities in the cyber landscape, the Chamber of Commerce has historically opposed these types of reporting requirements, calling them “regulatory overreach” that could harm affected companies’ profit margins. Whatever happened, someone must have put up a fight when they saw that Burr included the report in his final bill. Right after putting forth his final package, Burr turned around and introduced S.Amdt. 2743 to cut the report out entirely. Luckily, this amendment will not get a vote, though it is inexplicable what reasonable objection there could have been to this report that would caused Burr to propose removing it.

Burr is also seeking to cut a second valuable reporting requirement — and this time he may succeed (see page 6, line 3). It is buried in a mess of fixes to sloppy drafting: correcting grammatical mistakes, incorrect citations and the like. But this amendment would make a substantive change. It would remove a requirement that the Government Accountability Office issue a report examining and providing an economic analysis of “any impediments to agency use of effective security software and security devices.”

Given recent data breaches at federal agencies ranging from the Office of Personnel Management to the State Department, the Postal Service and even the White House, it’s clear that we need to do something to figure out what the problem is, and what impediments there are to shoring up the security of our federal networks. This report could help do that, and could even highlight places where Congress needs to improve in its role as appropriator to ensure that the federal government has the resources it needs to protect itself against cyberattacks. Why would Burr want to cut such a report?

This cut is included in an amendment that must pass by unanimous consent. It is not clear whether a senator will object, but the provision cutting this report, and the history behind the watering down and the subsequent attempt to cut Sen. Collins’s report, serve as yet more examples of how CISA — a purported cybersecurity bill — is far less concerned with identifying and resolving vulnerabilities in our cyber defenses than its sponsors would suggest.

Greene is policy counsel for the New America Foundation’s Open Technology Institute.