Rand Paul's last-minute demands push key cybersecurity law to the brink

A key cybersecurity law with broad bipartisan backing is in danger of expiring because of last-minute demands from Sen. Rand Paul (R-Ky.), who seems reluctant to engage with the private sector or other committee members on the issue, congressional aides from both parties tell Axios.

Why it matters: The authorities that expire in late September underpin most information sharing on cyber threats between the private sector and the U.S. government. If they lapse, that trading of information could cease next month, lawmakers and private sector executives have warned.

Driving the news: The Senate Homeland Security Committee canceled a markup planned for Thursday on a bill that Paul, the committee's chair, was introducing that would make major changes to the Cybersecurity Information Sharing Act of 2015.

• The law provides liability protections for companies that share threat intelligence with the U.S. government, including information that might suggest their own security was lacking.
• Paul's draft bill, obtained by Axios, has proposed removing liability protections for companies if their security incidents are found to have violated their own user agreements and privacy policies.
• That's caused an uproar among industry sources who say those last-minute changes threaten to completely undermine the 10-year-old program.

The intrigue: The law has the public support of senior Trump administration officials and was expected to be renewed without much of a fuss before Paul's interventions.

• Senate aides, who requested anonymity to discuss sensitive legislative negotiations, told Axios the rest of the committee was only clued into the proposed changes two weeks ago.
• The aides describe the negotiations since then as one-sided, with Paul's office appearing closed off to making concessions.
• They don't expect the committee to reschedule the canceled markup before the Sept. 30 deadline.

Friction point: The aides argue Paul's office is trying to unilaterally re-write a law against the desires of the administration and other Republican lawmakers.

• A House aide, who also requested anonymity to speak freely, added that the key provisions of the law have the backing of "most members of Congress, industry leaders, the privacy community, and state and federal government partners," regardless of party.

The other side: A spokesperson for Paul told Axios: "We dispute the characterization that we have not been open to changes, and any assertion otherwise is false."

What they're saying: "With less than two weeks left to act, Congress must pass an extension of these cybersecurity protections and prevent a lapse that would completely undercut our cybersecurity defenses and expose critical sectors to preventable attacks," Sen. Gary Peters (D-Mich.), ranking member of the Homeland Security Committee, said in a statement..

• Peters said he was still working "toward a bipartisan, bicameral deal that will renew these protections for the long-term."
• Earlier this week, House Homeland Security Chair Andrew Garbarino (R-N.Y.) said in a statement that the program has been "successful largely due to the liability, privacy, and civil liberties protections this statute provides."
• Trump appointees including Homeland Security Secretary Kristi Noem, National Cyber Director Sean Cairncross and Sean Plankey, Trump's nominee to lead the Cybersecurity and Infrastructure Security Agency (CISA), have all supported reauthorization.

The intrigue: Senate aides echoed concerns that cybersecurity industry stakeholders have also shared with Axios: That Paul is conflating CISA the agency with the information-sharing program, which shares the same acronym.

• Paul has called for completely eliminating CISA due to his critiques of the agency's foreign disinformation work.

What's next: Senate aides say they're now hoping for a one-year extension of the program to give lawmakers more time to work out their differences.

• The White House has also included a short-term extension of the program in the short-term funding deal that House lawmakers passed Friday.

Go deeper: Congress puts up last-minute roadblocks for cyber threat info-sharing