Security chief sees U.S. cyber legislation this summer
WASHINGTON (Reuters) - Congress is likely to agree on cybersecurity legislation this summer, U.S. Homeland Security Secretary Jeh Johnson said on Tuesday, citing growing consensus among lawmakers on the need to help industry share data with government about attacks on computer networks.
Lawmakers have been considering legislation to clarify how private companies should be required to disclose security breaches and cyber threats, but spats over liability and privacy protections have repeatedly thwarted comprehensive cybersecurity bills.
"My sense is that there's an effort to try to get something done this summer," Johnson told the Reuters Cybersecurity Summit, adding that he has discussed the matter with members of both the House of Representatives and the Senate.
"I've seen a fair amount of activity coming from both the House and the Senate and a real bipartisan desire to get something done," he said.
The legislation could include some targeted, transaction-specific form of limitations on civil liability to protect companies that share information about cyber breaches, he said.
Some observers remained skeptical that the divided Congress could agree on any meaty legislation giving government access to more data, especially in the wake of revelations about the scope of U.S. government surveillance programs by former National Security Agency contractor Edward Snowden.
"Cybersecurity was tough to pass before Snowden. It's much tougher now," Georgia Tech Professor Peter Swire told the Cybersecurity Summit.
"I don't believe Congress is going to vote on a massive increase of information sharing at the same time as it is voting to end (NSA's) bulk collection," said Swire, a member of President Barack Obama's independent panel that reviewed U.S. government spying practices in the wake of Snowden's disclosures.
But Johnson, who replaced Janet Napolitano as homeland security secretary in December, said tightening cybersecurity standards was "a good government, good business" practice that should not be a "political hot potato," even for a divided Congress.
"My sense is that Congress realizes this is an area where we can legislate and we ought to try," he told the summit.
The issue, he added, does not carry the religious or moral component of overturning the "don't ask, don't tell" policy that for 17 years applied to gays and lesbians serving in the military. Johnson helped to repeal that policy in 2011 while he was the Defense Department's general counsel.
The House last year for the second time passed a bill designed to help companies and the government share information on cyber threats, but it fizzled in the Senate. It did not address industry standards and the Obama administration had threatened to veto it over privacy concerns as many Democrats sought a broader bill.
Efforts to pass cybersecurity legislation got second wind in Congress last month as leaders of the Senate Intelligence Committee drafted their own bill, now circulating among key stakeholders in hopes of avoiding disagreements that have thwarted passage in the past.
The draft, from Senators Dianne Feinstein, a California Democrat, and Saxby Chambliss, a Georgia Republican, would offer liability protections and consider the possibility of data being shared not only with a civilian government agency but also military or intelligence agencies.
Privacy advocates have opposed giving companies liability protections because of concerns about abuses of consumer data.
Besides the limited liability, Johnson said key components of any legislation would be updating the Federal Information Security Management Act; clarity on the authority that DHS has over government web operations; and clarity on what commercial firms should share with the government.
He did not say if the Feinstein-Chambliss bill met all of those criteria.