On September 19, 2014, House Intelligence Committee Chairman Mike Rogers followed up on comments he and Senate Intelligence Committee Vice Chairman Saxby Chambliss made last week concerning the prospects for cybersecurity information sharing legislation. Chambliss and Rogers have been sounding the alarm that cyber legislation is not likely to get done this year. 

Speaking at the Intelligence and National Security Summit, Rogers said bluntly: "We're in this last window. If we don't get this bill done in the lame duck this year, the whole process starts over and I guarantee you it will take another two years to get this done." Rogers also disputed concerns that the cyber bill passed by the House, the Cyber Intelligence Sharing and Protection Act (known as CISPA), does not adequately protect privacy. He expressed frustration that the debate on sharing cyber threat information, which he said the Russians and Chinese already have, has become a debate over privacy. 

Given that many of the key players on cyber legislation, including Rogers, Chambliss and Senators Jay Rockefeller and Tom Coburn, are retiring from Congress this year, it is likely that any new legislation will have to start over through the committee process. For cyber legislation, this process has involved numerous hearings before the relevant House and Senate committees—including Intelligence, Commerce, Homeland Security and Judiciary—and soliciting comments from industry, privacy and government representatives.

The passage of cyber legislation has also been tied to consideration of a bill to amend foreign intelligence collection under the Foreign Intelligence Surveillance Act and the USA PATRIOT Act. Critics of the now-disclosed National Security Agency metadata collection program have insisted that FISA reform be passed first, before any new authority is given to the private sector to share cyber threat information with the government under a grant of liability protection. Privacy advocates have expressed concerns that CISPA and the Senate Intelligence Committee bill, the Cybersecurity Information Sharing Act of 2014, offer too few protections for private information, especially for consumers who do not want their information shared with the NSA, and are too generous in the liability protections given to companies sharing information with each other or with the government.

Companies across all sectors that use or rely on data could be impacted by cyber incidents. As Rogers said, cybersecurity is "the greatest national security threat America is not ready to handle." These companies have a stake in this legislation and should monitor its progress to ensure there are strong incentives and solid legal protections for sharing cyber threat information. Companies should also ensure that the legislation clearly allows them to defend their own networks from attack. All companies across all sectors should maintain awareness of potential cyber threats, have appropriate policies and procedures already in place, and be ready to take actions to prevent, mitigate or respond to such threats.