There are two categories of cybersecurity legislation awaiting Congressional consideration during the lame duck. First, there are a number of non-controversial, narrowly focused bills that are likely to be adopted as part of more comprehensive, must-pass legislation, such as the National Defense Authorization Act. Second, there is broader information sharing legislation that is unlikely to be enacted, despite bipartisan support in both the House and Senate.
Sponsors of the Cybersecurity Information Sharing Act, most notably Senate Intelligence Committee Chairman Diane Feinstein (D-CA) and Vice Chairman Saxby Chambliss (R-GA), remain highly motivated to get the bill done before Congress adjourns for the year. However, there has been no indication from Senate Majority Leader Harry Reid (D-NV) that he will move the bill to the floor, and there is little time left to work out an agreement.
Similarly, while Members of Congress and the Administration have talked up a federal data breach notification bill, there has been little follow-through on those statements and no progress being made towards getting a bill passed. Accordingly, there is almost no chance of legislative action on data breach legislation during the lame duck.
That said, legislation regarding both information sharing and data breach notification will undoubtedly be reintroduced next year. Congress will continue to debate these issues in a new political environment and under new leadership, at least in the Senate.
Senator Ron Johnson (R-WI) is expected to take the chairmanship of the Homeland Security and Governmental Affairs Committee. While not previously immersed in cyber policy, he did introduce a cyberespionage bill in this Congress and co-sponsored the SECURE IT legislation in the last. Sen. Tom Carper (D-DE), who will stay on as the Committee’s ranking member, has made cybersecurity one of his top priorities. He’ll be sure to continue his push for bipartisan work on the topic with Senator Johnson.
Several Democratic members of the Senate Homeland Security and Governmental Affairs Committee have lost their seats, including Sen. Mark Pryor (D-AR), Sen. Mark Udall (D-CO) and Sen. Mark Begich (D-AK). And another member of the Committee, Sen. Mary Landrieu (D-LA), is headed to a December 6th runoff against Rep. Bill Cassidy (R-LA).
At least four committees claim jurisdiction over cybersecurity policy in the Senate, including Homeland Security, Intelligence, Judiciary and Commerce. The same dynamic is at play in the House of Representatives, which complicates matters further.
With new leadership in the Senate, including Sen. Richard Burr (R-NC) chairing the Intelligence Committee, Sen. Chuck Grassley (R-IA) at the helm of the Judiciary Committee, and Sen. John Thune (R-SD) chairing Commerce, the 114th Congress will have to negotiate the boundaries of jurisdiction and responsibility on cyber anew. The beginning of the next Congress will be a lot of settling into roles for the Senate committees before they can even begin legislating.