Banking Groups Push for Senate Cybersecurity Vote

WASHINGTON — The banking industry is stepping up pressure on the Senate to pass a cybersecurity bill this fall that would expand information sharing on cyber threats between private companies and the federal government.

The Intelligence Committee approved the measure 12-3 last month in a closed-door vote, but it remains unclear whether the full chamber will take up the Cybersecurity Information Sharing Act this year.

The financial services industry has largely been supportive of the measure, arguing that greater information sharing across different sectors and the government is necessary to fend off future attacks. But the legislation still faces hurdles, especially due to ongoing concerns by privacy advocates over a lack of consumer protections in the bill.

"The main focus is getting this to the Senate floor. There are a lot of interested parties doing outreach," said Anthony Cimino, vice president of government affairs for risk management at the Financial Services Roundtable.

A dozen financial groups, including the Roundtable, the Independent Community Bankers of America and the Electronic Transactions Association, sent a letter Thursday urging lawmakers to take up the bill as soon as possible.

"As it stands today, our laws do not do enough to foster information sharing and establish clear lines of communication with the various government agencies responsible for cybersecurity," the letter says. "Simply put, there is a limit to our ability to protect our customers and there is a clear need for Congress to act."

The push on Congress is expected to continue over the August recess, with several banking trade groups saying they plan to send additional letters and meet with Hill staff and lawmakers to make the case for the information-sharing bill over the summer break. The timing is particularly tight because there will be just a handful of days to legislate when lawmakers return in September, before the focus in Washington turns entirely to the mid-term elections. It's not clear that Senate leaders would want to put vulnerable lawmakers up to a tough vote so close to November.

"It's really a race against the clock right now to see whether we can get this done," said James Ballentine, executive vice president of congressional relations and political affairs at the American Bankers Association.

A spokesman for Majority Leader Harry Reid's office did not respond to a request for comment on whether the Senate would consider the bill in coming months.

Advocates are likely to continue the debate into next year if they fail to advance the Senate measure, but there are more unknowns to contend with. The parties are in a dead heat for control of the chamber in the new Congress, and the elections are likely to cause a fair amount of turnover between retirements and upsets.

"It's always problematic to get started all over again," Ballentine added. "Not only do you have to reengage on the issue, but you also have to educate new members in Congress. It's difficult to go back to square one. But sometimes you have to do that."

Supporters of the bipartisan proposal, authored by Sens. Dianne Feinstein, D-Calif., chairman of the intelligence panel, and Saxby Chambliss, R-Ga., the ranking member, argue that the bill would foster increased sharing of sensitive cyber information. The legislation provides private companies sharing information with some protection against lawsuits, and the measure could help improve sharing capabilities across different sectors.

"The bill would give financial services greater access to data about cyber threats that arise in other sectors, including sectors on which financial services relies," said Nathan Taylor, an attorney at Morrison & Foerster. "For example, an attacker may be equally willing to attack a utility and a bank. If the threat first arises with a utility, other sectors, including financial services, can be more prepared if they receive that threat data."

But critics argue that liability protections for private firms must be balanced with safeguards for consumers, an ongoing issue that has permeated the cybersecurity debate for years.

"If you want the bill passed, privacy concerns — whether real or imagined — represent a huge roadblock," Taylor said.

The push for privacy remains an especially hot-button issue in the wake of the National Security Agency data collection scandal, with critics warning that the bill fails to provide sufficient protections on what information the government will collect and how it will be used.

"The bill seems to disregard the revelations about surveillance conducted by the National Security Agency both within the U.S. and includes no new civil liberties protections responsive to those disclosures," the Center for Democracy and Technology said in an analysis of the bill.

Still, bankers and others have downplayed such concerns, arguing that data is shared only if it's related to a possible attack, and that even in those cases firms are careful to pass along just the bare-bones information needed — generally not personally identifiable information.

"The shared information is scrubbed, and banks and others are seeking to share as little information as possible. We're sharing information around malicious activity that we're seeing, so that it can be further investigated," said Karl Schimmeck, managing director of financial services operations at the Securities Industry and Financial Markets Association.

If the Senate does manage to approve the bill this year, observers suggested that House lawmakers are interested in working to align the Senate proposal with the more controversial Cyber Intelligence Sharing and Protection Act, which the House passed in 2012 and again in 2013.

"I am pleased the Senate Intelligence Committee voted their bill out of committee. The House has sent two cyber bills to the Senate, and their action on this bill is a great step toward getting a cyber information sharing bill signed into law," said Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee, in a statement. "We continue to resolve our differences on this issue, and I am confident that a final bill that enhances our security while protecting privacy and civil liberties can be worked out quickly in conference."

The White House has yet to take a public stand on the Senate bill, though top officials want the privacy protections strengthened, according to press reports. The Obama administration previously threatened to veto the House information-sharing bill, which has not been considered in the Senate.

The House, meanwhile, passed a handful of narrower cybersecurity measures earlier this week, including a bill by Rep. Mike McCaul, R-Texas, chairman of the Homeland Security Committee, which includes additional information-sharing provisions.

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER