Cybersecurity Legislation in the Lame Duck Session

Michelle Kincaid has an interesting outlook on cybersecurity legislation potential in the lame duck session in her cybersecurity blog post. While I don’t see anything in particular to disagree with, it is important to remember that political calculations change significantly in a lame duck session, making it much more difficult to successfully predict political outcomes.

While most people focus on legislators that are on their way out, who may (or may not) vote on principle instead of political motives now that they may never face the voters again, there is a new crop of Senators that are now starting into their two year election cycle; many of them will now begin paying more attention to political posturing than principle.

Legislation in the Senate

Most of the cybersecurity legislation attention is being focused on consideration of S3414. Sen. Reid (D,NV) that may bring this back to the floor for consideration this week and there is even a remote chance that it could pass in the Senate. The key stumbling block to its passage will be reaching an agreement with the Republicans on what amendments would be considered before a final vote on the bill. It is unlikely that, even if this bill does get passed in the Senate, that it will pass in the House where there is much more opposition to increasing government regulations.

Overlooked in most discussions of cybersecurity legislation is the fact that there are three bills that have already been passed in the House and are waiting for Senate action. They are

• HR 2096, Cybersecurity Enhancement Act of 2012;

• HR 3523, Cyber Intelligence Sharing and Protection Act; and

• HR 3834, Advancing America's Networking and Information Technology Research and Development Act of 2012

While the CISPA bill is more than a little controversial, the other two bills had strong bipartisan support in the House ( HR 2096 passed 395-10 and HR 3834 passed on a voice vote). While being far from comprehensive bills either of these could probably pass in the Senate if the leadership took the effort to bring them to a vote. These bills may provide Reid with a way of saying that the Senate dealt with cybersecurity legislation in this session.

Legislation in the House

With no Senate passed bills to consider, the House still has one cybersecurity bill that has been reported out of committee that could be considered on the floor with minimal effort; HR 3674, the PRECISE Act of 2012. This bill is actually the closest thing to a House counterpart to S 3414 in that it actually provides VERY limited authority for DHS to regulate cybersecurity in critical infrastructure. This could probably pass a House floor vote without any real problem, but it is too late for this to make it through the Senate as well.

If this bill had been passed in the regular session (and it was put on the house calendar back in July and then ignored) it would have provided a more useful discussion tool for Senate consideration of cybersecurity. It actually would form a pretty good basis for the executive order that is reportedly being worked on by the Administration.

If Rep. Lungren (R, CA) is returned for the 113^th Congress (the vote count has still not been certified and is trending against him) then I would expect to see this bill re-introduced in January.