The text of the Cybersecurity Act -- the conference-approved cybersecurity information sharing bill -- as anticipated (see 1512070056 and 1512150074) is included in the FY 2016 omnibus spending bill released Wednesday and this almost certainly means the conference language will make it through Congress. What happens once it reaches President Barack Obama is far less clear, industry lawyers and lobbyists said in interviews. The omnibus didn’t include policy riders that would have curbed the FCC’s February net neutrality order but did include a bipartisan rider that would grandfather broadcaster joint sales agreements from before the FCC limited them in March 2014 (see 1512160061). The omnibus also extended the current ban on NTIA’s use of funds for the Internet Assigned Numbers Authority (IANA) transition through the end of FY 2016. NTIA’s current contract with ICANN to administer the IANA functions is set to expire at the end of FY 2016. The IANA transition rider doesn’t extend into FY 2017 absent “any other law” enacted in the meantime.
Chairman Tom Wheeler laid out FCC priorities and timetables for members of the House Communications Subcommittee during a wide-ranging oversight hearing Tuesday. He predicted the agency would take a stab at ISP privacy rules early next year, committed to a focus on special access and set-top box concerns and timely attention to the upper reaches of spectrum. He addressed concerns about how the Enforcement Bureau and his office handle communications with other commissioners and also what the agency’s role should be after terrorist attacks in Paris.
The labor union representing flight attendants is again raising red flags over a proposal for air-to-ground (ATG) mobile broadband service over the contiguous U.S. Like its comments earlier this year on the docket and similar comments on an FCC proposal to lift the ban on using mobile phones for voice and data on flights (see 1502060034), the Association of Flight Attendants' ex parte filing posted Monday in docket 13-114 said the ATG proposal "would greatly enhance communications capabilities for terrorists and increase cyber warfare vulnerabilities." The filing recapped a pair of meetings between union representatives and staff of Commissioners Ajit Pai and Jessica Rosenworcel. Any FCC decision should wait until after the Safety and Security in the Air Coalition interagency group develops a study on potential threats and vulnerabilities and looks at possible mitigation, it said. An ATG draft order was taken off circulation earlier this year (see 1502120054).
The Office of Personnel Management (OPM) data breach announced Thursday, in combination with Congress’ recent passage of the USA Freedom Act (see 1506020052), temporarily increases attention on Senate consideration of the Cybersecurity Information Sharing Act (S-754), but it's unclear whether that will improve the bill's chances of passage, industry lawyers and lobbyists told us in interviews. The White House cited the data breach, which OPM said may have compromised the personally identifiable information (PII) of about 4 million current and former federal employees, as a reason for Congress to pass cybersecurity legislation (see 1506050042). The House overwhelmingly passed two cybersecurity information sharing bills in April -- the National Cybersecurity Protection Advancement Act (HR-1731) and the Protecting Cyber Networks Act (HR-1560) -- and sent the language from both bills to the Senate as a revised version of HR-1560 (see 1504230062 and 1504220066).
Whether the language of the Data Security and Breach Notification Act draft is too vague to protect consumers and provide guidance to companies, gives the FCC and FTC ample authority to protect consumers, and allows innovation, and whether privacy and data security can be regulated separately were key topics at the House Subcommittee on Commerce, Manufacturing and Trade’s hearing on the draft bill Wednesday. The bill was touted as bipartisan. But many Republican subcommittee members favored the narrow approach of the bill, while Democratic members raised concerns with the bill’s pre-emption of stronger state laws and a limited definition of what constituted as personal information.
Senate Homeland Security Committee Chairman Ron Johnson, R-Wis., said he wants to wait until the Senate Intelligence Committee’s much-anticipated redraft of the Cybersecurity Information Sharing Act (CISA) “winds its way” through committee markup before taking further action within Senate Homeland Security on cybersecurity information sharing legislation. Senate Intelligence Chairman Richard Burr, R-N.C., and Vice Chairwoman Dianne Feinstein, D-Calif., have been circulating a draft of the bill that includes more privacy protections than the bill's 2014 version, but most major privacy advocates already have opposed it publicly. The 2014 CISA cleared Senate Intelligence but never got a full Senate vote. Burr and Feinstein expect to introduce the bill and hold a closed-session markup as soon as Tuesday and definitely before the end of the month, an industry lobbyist told us. Johnson said during a USTelecom event Friday that he wants to “see the reaction” to the reintroduced CISA post-markup. Once “more people evaluate it,” Senate Homeland Security “will hop into the fray” and hold additional hearings, Johnson said.
As the smoke clears from an initial flurry of reaction, privacy advocates and some lawmakers applauded President Barack Obama's push to protect privacy, with the release of a draft of the Consumer Privacy Bill of Rights (CPBR) last week, (see 1502270052), calling the first draft a step in the right direction. Consumer privacy advocates, industry -- with the exception of Microsoft -- and Democratic and Republican lawmakers initially criticized the draft. Privacy groups said in a letter that they were shown a rough draft of the bill a week before its public release and asked several changes be made, some of which were implemented, including changes to "maintain longstanding privacy protections under the Communications Act.” Privacy groups said that if other changes are adopted, the bill could protect consumers. Industry groups, however, maintain the draft is a step backward, with many expressing concerns about innovation, and some saying the bill distracts from critical data security legislation that's needed.
The FCC’s expected vote Thursday to reclassify broadband as a Communications Act Title II service has the potential to unintentionally expand its regulatory authority on communications sector cybersecurity, ex-agency officials said in interviews. They conceded it’s unlikely the commission has any plans to exercise that authority in the near future given the strong likelihood of legal challenges to new net neutrality rules. Industry lawyers have said the FCC can claim authority on cybersecurity at least via Title I, and could stake a claim via Title II and Section 706 (see 1406240037). FCC Chairman Tom Wheeler has been championing improving cybersecurity risk management within the communications sector since last year via voluntary private sector-led work in the Communications Security, Reliability and Interoperability Council’s (CSRIC) Working Group 4 and the Technological Advisory Council (see 1406130056).
Rep. Dutch Ruppersberger, D-Md., reintroduced the controversial Cyber Intelligence Sharing and Protection Act (CISPA) Friday, but a new year and a new session of Congress hasn’t substantially changed the bill’s prospects for enactment, industry lawyers and lobbyists told us. Ruppersberger cited North Korea’s December data breach at Sony Pictures Entertainment as the impetus for his early reintroduction of the bill, saying in a statement that “we must stop dealing with cyber attacks after the fact.” The version of CISPA for the 114th Congress (HR-234) is a near facsimile of the version the House passed during the 113th Congress (see report in April 19, 2013, issue). The Senate didn’t vote on the Cybersecurity Information Sharing Act (CISA), which was substantially similar to CISPA, before the 113th Congress adjourned in December.
Communications Security, Reliability & Interoperability Council (CSRIC) Working Group 4 will be able to report at CSRIC’s meeting Wednesday that it has made “substantial progress” on its work to use the National Institute for Standards and Technology’s (NIST) Cybersecurity Framework for communications sector needs, said Working Group 4 Co-Chair Robert Mayer in an interview.