Industry groups are on the cusp of a big win this week as the House is expected to approve a pair of cybersecurity bills, following a years-long push from the business community.
Trade groups are banking that this is finally the year that Congress will pass legislation that would give companies liability protection when sharing data about hacks with the government.
{mosads}The bills have been around in some form for nearly five years, but calamitous cyberattacks on Home Depot, Target and Sony have forced the hands of lawmakers in Congress.
“Maybe Sony was the straw that broke the camel’s back,” said Norma Krayem, a lobbyist with Squire Patton Boggs who co-chairs the firm’s cybersecurity industry group. “I think there’s simply no way members of Congress and the private sector can continue to move forward without addressing this problem.”
For many in the business community, the advancing legislation could be the culmination of nearly five years of meeting on Capitol Hill trying to convince lawmakers that cybersecurity should be a top priority.
“This is the one piece that’s never been able to get across the finish line,” said Jessica Herrera-Flanigan, a lobbyist at Monument Policy Group, which represents tech giants like Microsoft.
And, she added, it’s “the key piece.”
Groups like the U.S. Chamber of Commerce and Financial Services Roundtable (FSR) have long lobbied for the measures. They say sharing cyber threat data without legal protections could expose companies to frivolous shareholder lawsuits and possible regulatory action.
Lobbyists describe a stark change over the past two to three years in the way lawmakers approach cybersecurity.
In the past, meetings involved describing how hackers posed an economic threat to U.S. businesses and a national security threat to critical networks.
Now every office wants to know how it can get involved.
“We’re not going into offices having to explain this is a real threat to financial institutions,” said Jordan Quinn, policy manager for FSR, a major finance industry trade group pushing for cybersecurity legislation.
Discussions in 2011, 2012, Quinn said, were “drastically different than our conversations today.”
The House has even dubbed this week “cyber week” because of the votes occurring Wednesday and Thursday.
“This has gotten a ton of publicity,” Quinn added. “Staff is talking about it in the hallway.”
FSR even plastered roughly 200 Metro cars with banners so Capitol Hill staffers are reminded of the bills’ importance on their way to work throughout the week.
“There’s a lot of buzz around the work cybersecurity,” Quinn said. “Cybersecurity really is the buzzword of the year.”
While the Hollywood infighting revealed in emails leaked during the Sony hack made cybersecurity a gossipy topic, lobbyists say it was actually the Edward Snowden leaks that forced Congress to seriously address the privacy concerns that have repeatedly felled attempts to pass a threat-sharing bill.
Two or three years ago, privacy considerations “were not as front and center as they should have been,” Krayem said.
Snowden changed that. His revelations of massive government spying programs sparked a heated debate on Capitol Hill about how to protect Americans’ digital data.
When Congress approached the threat-sharing bills this year, it worked to inject clear carve-outs and forceful anti-surveillance language to mitigate privacy concerns.
The House bills — one from the Intelligence Committee, another from Homeland Security — would not give companies liability protections for sharing data directly with the National Security Agency or the Defense Department.
The bill from the Intelligence panel also includes sentences declaring it grants no new surveillance authority.
While the changes haven’t completely won over privacy groups, they have brought on a number of previously skeptical Democrats and potentially even the Obama administration.
White House cybersecurity coordinator Michael Daniel has said he believes there is a way to work forward with all bills on the table.
If the House passes its two bills, analysts don’t see any major barriers to uniting the language of the two before sending something to the Senate.
Lawmakers are able to combine two similar yet separate bills after passage if the process is agreed to before either hits the floor.
House committee leaders also based their language in large part on the Senate’s companion legislation, the Cybersecurity Information Sharing Act (CISA), hoping for a frictionless merger of the two chambers’ bills.
But lawmakers haven’t crossed the finish line just yet.
Amendments filed into the House Rules Committee throughout Monday. Across the Capitol complex, a growing number of senators are planning to offer substantial amendments to CISA on the floor.
Major cybersecurity bills have neared the finish line before, Herrera-Flanigan cautioned. While small portions got through — measures to bolster the government’s cyber workforce and clarify agencies’ cyber responsibilities, for instance — information sharing has been left out.
“The one piece that has not been addressed has been the information-sharing piece,” she said.