The hurdles the amendments put up include the need to attract GOP support without letting the bill lose its teeth. | REUTERS Cyber debate hinges on amendments

The fate of the Senate's cybersecurity reform measure now hinges on amendments — and bill sponsors, the White House and top Republicans have all drawn their lines in the sand.

The challenge for the Cybersecurity Act of 2012 after a key procedural vote Thursday is whether a growing number of amendments can resolve enough differences to attract GOP support in the Senate — and, ultimately, the House, too — while not completely removing the teeth that Democrats and the Obama administration think is essential to protect the nation from cyber threats.


Some Republicans are angling for a broad set of revisions to the critical infrastructure and information sharing bill, and a bloc of GOP members plans to pitch its own cybersecurity measure — the SECURE IT Act — as an amendment during the forthcoming floor debate. That rival bill leaves out any mention of cybersecurity protections for critical infrastructure, a change to the legislation that the White House indicated Thursday it would not support.

Other amendments lawmakers are promising could add new provisions to the bill meant to improve energy-grid security or require tech companies to disclose when they have been breached by hackers.

There are also members angling to amplify the privacy safeguards in the measure, or revise its section on liability protection.

The coming debate over those changes and others is going to be critical for the bill’s backers as they canvass the chamber for votes and seek passage before the August break. Senate Democratic Leader Harry Reid already has made clear he will permit a broad swath of amendments — so long as they're germane — as sponsors try to cobble together a compromise that can clear the Senate and yet still prove appealing to the House.

The list of amendments to be debated is still not finalized and can change. But the speeches, the letters from industry and the posturing on the floor over the past few days have provided an early glimpse of what still remains a slog ahead for the Senate.

Sen. Kay Bailey Hutchison, for one, laid out a series of revisions that could make the bill more palatable to her allies. That could include more explicit provisions making the critical-infrastructure sections voluntary, a standards-setting process led by NIST and not the Department of Homeland Security, and more robust liability protections for business, among other things.

However, Hutchison pledged that she and her colleagues also would unveil their cybersecurity counterplan, the SECURE IT Act, as an amendment in the form of a substitute, in addition to offering the different provisions of that bill as individual amendments. The full SECURE IT Act does not try to bring new security procedures to entities deemed critical infrastructure.

Other members are angling to expand the bill's liability protections in a way to appeal to more owners of power plants, water systems and other essential entities. Sen. Joe Lieberman suggested that could come from Sens. Jon Kyl (R-Ariz.) and Sheldon Whitehouse (D-R.I.), though the two lawmakers have remained mum on their work — and no one has publicly shared any text.

It's a tweak Sen. Susan Collins, particularly, would back — the Maine Republican said on the floor this week she is "open to making that a more robust liability protection" section. But the White House warned in a statement Thursday it isn't supportive of "overly broad immunities from legal obligations" because that would "undermine the very trust that the bill seeks to strengthen."

Other lawmakers could look to add totally new elements to the bill.

For example, tech stakeholders have buzzed for months about adding to the measure new rules on data security and breach notification, though it's not clear that would net lawmakers any new votes.

Sen. Jay Rockefeller (W-Va.) — one of the cyber bill's sponsors — previously has been among the proponents of new language meant to require tech companies to improve their practices in handling and securing consumers' personal data. That amendment, if offered, would stem from Rockefeller's own bill on data security and breach notification, which his Senate Commerce Committee has been unable to bring to a markup.

But Republicans have their alternative — a data breach bill, markedly different from the Democratic plan offered by Sen. Pat Toomey (Pa.) and others. A spokeswoman for Toomey told POLITICO he's still considering a move to put it forward as an amendment.

Related tweaks could come from Sen. Richard Blumenthal (D-Conn.), who suggested on the floor Thursday he might jockey to give individuals the ability to recover damages in the event they have been harmed by a data breach. That comes from a bill he pushed before the Senate Judiciary Committee in this Congress. And part of Blumenthal's efforts also could see the creation of a top privacy office in the Office of Management and Budget.

Sen. Patrick Leahy (D-Vt.) has already filed three amendments of his own — a proposal that would enhance the penalties issued to those who violated a key computer fraud statute, as well as Leahy's own data-security measure. And he's apparently also hoping to amend the cybersecurity bill with a proposal that would update the Video Privacy Protection Act, an issue that's not even related to the durability of digital networks.

Sen. Chris Coons (D-Del.), meanwhile, said Thursday on the floor that he hopes to add to the bill new language that would sunset its requirements, requiring Congress to re-evaluate it in a few years. Some Republicans have expressed interest in that idea.

For Sen. Al Franken (D-Minn.), the concern is the bill's privacy protections — the proposal, as it stands, might give companies great latitude to monitor their networks and interfere with consumers' computers to prevent threats.

On the floor, Franken said the bill would "give ISPs and other companies a brand new right to monitor communications and deploy countermeasures," which Franken said is "so broad that if a company uses that power negligently to snoop in on your email or damage your computer, they will be immune from any lawsuit."

The senator said his amendment would strike those sections, and he said he had some early support from fellow lawmakers.

Meanwhile, Sen. Jeff Bingaman (D-N.M.) has already said he hopes to offer his prior bill to improve energy-grid security during floor debate, and Lieberman said earlier in the week he hopes to discuss the matter further with his colleague.

This article first appeared on POLITICO Pro at 5:31 a.m. on July 27, 2012.

This article tagged under: Cyber Security

Politics