WASHINGTON—Saying that losses due to cyber-attacks could cost the U.S. economy more than $400 billion this year, Senator Diane Feinstein (D-CA) argued passionately for final approval of the Cybersecurity Information Sharing Act, which was passed by the Senate at the end of October.
Quoting studies from the McAfee on the costs of cyber-crime, Feinstein listed a series of cyber-attacks, including one in 2012 on Saudi Arabia's Aramco Oil Company that wiped out three-quarters of its computers.
"It’s only a matter of time before they progress to our critical infrastructure," she said. Senator Feinstein was speaking to a small group of executives at the offices of Arent Fox, a law firm with offices here. Feinstein highlighted what she regards as one of the strengths of the bill as passed by the Senate. "We crafted a bill that got 74 votes on the senate floor," she said.
Despite the fact that the bill has already passed both the House of Representatives and the Senate, it has yet to reach President Barack Obama's desk for a signature, which means it's not even close to becoming law. The next step in that process is to send it to a joint conference committee to resolve differences between the versions of the act passed by the House and Senate.
This task was made more complicated because the House actually passed two versions of the CISA Bill, so both of the House versions have to be reconciled with the Senate version.
The conference committee has yet to meet to consider reconciliation. In fact, the conferees to the committee have yet to be named. Normally this isn't a big deal, but this is the end of the year and Congress will remain in session only four more weeks before it adjourns for the year.
Consider that the House and Senate only actually work three days a week, and it's apparent that there are only 12 more working days for all of this to happen.
Of course it could actually happen quickly, if the conference committee members are promptly named, since the differences among the three versions of the bill are minor. But will it happen? The chances aren't good and it's more likely the legislation will be kicked down the road until 2016.
One of the things that Sen. Feinstein is worried about is that big opponents of the bill, including many in the tech industry and many more who are privacy advocates, will oppose the bill when it comes out of conference, and they will work to get it killed then.
Once approved, bills emerging from the conference committee can’t be amended, and the opposition may be slightly more effective.
For this reason, Sen. Feinstein went into detail about the privacy protections contained in the Senate version of the bill, most of which are in the House version. She pointed out that the bill requires personally identifiable data to be stripped from any threat information that's shared with the government or other companies.