A bill aimed at putting teeth into government involvement in IT security to protect the nation’s critical infrastructure has been blocked in the Senate, barring its last chance for passage. The bill was an outgrowth of congressional committee meetings on cybersecurity held since the late 1990s, a topic made more urgent in recent months by the Obama administration and national security officials.
In July 2011, President Barack Obama called for lawmakers to pass a cyber security bill in order to prevent cyber attacks, warning the lawmakers such attacks could effectively shut down the nation’s public and private sectors. This view was supported by Pentagon officials, who had warned repeatedly about threats to national and homeland security in cyberspace – especially those that threatened infrastructure networks that control the nation’s electrical power grid, watertreatment plants, and transportation systems.
First introduced in February 2012, the act created standards for critical infrastructure, and gave legal immunity to companies who would be in compliance with them. Its main goal was to encourage the sharing of information on cyber threats between private businesses and the U.S. government, providing incentives to companies that adopt the protections against hackers and malware.
The measure would have required the Department of Homeland Security to assess the risks and vulnerabilities of computer systems running at critical infrastructure sites. This called for annual reports from the departments of Justice, Homeland Security, Defense as well as the Intelligence Community Inspectors General, to describe what information is received, by whom, and how it is used. If passed, the act would have seen the creation of a National Cybersecurity Council, to be chaired by the Homeland Security Secretary in order to coordinate defensive measures in dealing with cyber attacks.
While giving the government more power over the sharing of IT security information, the act also would have given the public the right to sue the government if it intentionally or willfully violated the law.
Some critics of the bill, including many Republican lawmakers and business organizations, warned that creating another government bureaucracy would cause harm by saddling them with increased costs of doing business. Another commonly voiced criticism of the bill was that it was not clear just what incentive measures would be offered to private companies for compliance.
In an attempt to address some of these concerns, a revised version of the bill that made security standards voluntary appeared in July. Debate followed during the week of July 27, and although a majority of Senators supported the act, votes on Aug. 2 fell short of the 60 needed to invoke cloture, or close debate.
Reactions
In the end, many Republican legislators claimed they were reticent to give the Federal government greater power over the private sector. Some also continued to express the belief that such measures would lead to increased costs for companies that manage the nation’s critical infrastructure while at the same being ineffective against the threat of cyberattacks.
For its part, the White House issued a statement expressing its frustration: “The politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyberattacks.”
The Information Technology Industry Council (ITI), too, appeared to be disappointed with the outcome. “The Senate vote is a reminder that we have a long way still to go,” Dean Garfield, ITI’s president and chief executive, said in a statement. “We hope that, despite this setback, Senators will continue to work with stakeholders and reach agreement on a proposal that embraces security innovation as the best way to counter the threats we all know are out there. Any effort must recognize the critical importance of private-sector leadership for information and communications technology innovation, increased information sharing, and a risk-management approach.”
What’s Ahead?
While the Cybersecurity act of 2012 itself was defeated, discussion and debate on the subject of how best to protect the nation’s critical infrastructure with respect to IT security is likely to continue. The White House hasn’t ruled out issuing an executive order to strengthen the nation’s defenses against cyber attacks if Congress refuses to act.
“In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed,” White House Press Secretary Jay Carney said in an emailed response to whether the president is considering a cybersecurity order.
“Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today’s cyber threats and we will do that,” Carney said.
The White House has emphasized that better protecting vital computer systems is a top priority.
The American Civil Liberties Union (ACLU), which had opposed the legislation from the start, appeared to be pleased with the vote, but also offered words of caution.
“Regardless of today’s vote, the issue of cybersecurity is far from dead,” ACLU legislative counsel Michelle Richardson said in a statement. “When Congress inevitably picks up this issue again, the privacy amendments in this bill should remain the vanguard for any future bills. We’ll continue to work with Congress to make sure that the government’s cybersecurity efforts include privacy protections. Cybersecurity and our online privacy should not be a zero sum game.”
Senator Joseph Lieberman (I-Conn.), who championed the cybersecurity measure in the Senate, said that he would “remain ready to return to negotiations for a law.”