Congress punts cybersecurity, so White House may act alone
Now that the latest effort to advance comprehensive cybersecurity legislation has failed in Congress, attention is now shifting to the White House, where officials have been developing an executive order to better protect the nation's critical infrastructure from digital attacks and vulnerabilities.
Earlier this week, the Washington Post reported that President Obama had signed a secret policy directive outlining new protocols for federal agencies in dealing with cyberthreats and providing new authorities for the military "to act more aggressively to thwart cyberattacks on the nation's web of government and private computer networks."
That revelation came as Senate Republicans on Wednesday defeated a procedural measure that would have advanced the Cybersecurity Act backed by Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), objecting that the Democratic majority was trying to push the bill through without sufficient debate and by limiting the number of amendments that members could introduce.
At the very least, that will move the debate over cybersecurity legislation into next year, and likely into the new session of Congress, with the primary fault lines in the debate -- whether the government should impose cybersecurity mandates on private-sector infrastructure operators; whether the military or Department of Homeland Security should take the lead in civilian cybersecurity -- expected to resurface, while the White House could still move ahead with a more expansive executive order that the policy directive Obama reportedly signed in October.
Out of Congress' hands (for now)
Following Wednesday's vote, Senate Majority Leader Harry Reid (D-Nevada) indicated that comprehensive cybersecurity reform is effectively off the table for this Congress, and called on the White House to move ahead with its executive order to address the issue.
"Given Republican intransigence, I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cybersecurity threat," Reid said.
But then on Thursday, Senate Minority Leader Mitch McConnell (Kentucky) said he is hopeful that the chamber can return to cybersecurity in January with a more inclusive debate.
"The majority leader had made prior commitments to allowing a free and open debate on cybersecurity, a matter that Republicans acknowledge must be addressed especially in the areas of information sharing, and providing some degree of liability protection to those companies that do share cyberthreat information with one another and the federal government," McConnell said Thursday on the Senate floor, calling for consideration of an alternative -- and much more limited -- cybersecurity bill backed by several leading Republicans to be included in any debate of the more comprehensive Lieberman-Collins measure.
"My expectation is that sometime in December after we have completed floor debate on the Defense Authorization bill, and then dispose of the Intelligence Authorization bill, we will then attempt to get an agreement on amendments to the cybersecurity bill," McConnell said.
Several leading technology trade groups, including the Business Software Alliance (BSA), expressed disappointment that lawmakers could not advance an issue that has been under debate for years in Washington and remains a matter of high importance to their members. At the same time, BSA President and CEO Robert Holleyman conceded that no bill is likely to move before the next session of Congress, a view echoed many other observers.
"It is disappointing that Senators haven't yet been able to reach an agreement on cybersecurity legislation -- but stalemate doesn't make the issue go away," Holleyman said in a statement. "There is no getting around the fact that we need to bolster America's cybersecurity capabilities. We urge both parties to put this issue at the top of the agenda in the next Congress."
Some of the core provisions of cybersecurity reform have broad, bipartisan support, such as the need to reduce barriers that have prevented government and private-sector entities from sharing information about cyberthreats, and the importance of boosting programs that support cybersecurity research and education.
But the notion of binding regulations for private-sector infrastructure operators and the question of where government oversight authority should be concentrated have thus far proved intractable, leaving lawmakers deadlocked.
Cybersecurity experts offer advice
On Thursday, a panel of cybersecurity experts weighed in on the political landscape at an event here at the National Press Club co-hosted by the American Bar Association and Northwestern University's Medill National Security Journalism Initiative.
Joel Brenner, an attorney with the firm Cooley LLP and the former inspector general at the National Security Agency, suggested that the comprehensive approach that the Lieberman-Collins bill takes—and the administration supports—is one of the main reasons for the snag on Capitol Hill.
Unpacking that bill into smaller, piecemeal initiatives would enable Congress to advance less controversial measures, such as information sharing, that could have an easier time passing and would do so with a broader bipartisan mandate.
"If you took this big omnibus bill apart, which is what Republicans wanted to do, you really might find that we could get some of these smaller balls over the goal line," Brenner said. "But it's not happening, and the administration seems determined to do it this way, at least for the time being. I think it's a terrible error."
Of all the issues at play—and there are many, spanning technical, policy, business and jurisdictional concerns —the fundamental divide over whether the government should play a role in drafting and enforcing cybersecurity standards is among the most contentious.
Jody Westby, founder and CEO of the consultancy and legal firm Global Cyber Risk, argued that many of the current challenges in the cyber arena arise from the problem of attribution, the inability for law-enforcement authorities to track and trace the origin of an attack, particularly when that trail leads them outside the borders of the United States.
For Westby, a debate over regulation and federal enforcement of standards misses the point. Instead, she argues for reframing the discussion to focus on legal reforms and other measures that would enable law enforcement to more effectively capture and prosecute cybercriminals.
"I'm thrilled that the bill didn't pass. I think it was the right thing to do. I think now we have to the perfect opportunity for a new conversation with a new Congress," she said.
"You could put all the mandates in the world on businesses, and it will not do anything about the software vulnerabilities, the hardware vulnerabilities in their systems. It will not do anything about the social engineering vulnerabilities of the human—people that are being exploited every day. It will not do anything about the websites that are infected, when you get your own computers infected simply because you went to a website and clicked on something. Those are called drive-by infections. It's not going to do anything about all the different police departments that don't know how to investigate cybercrimes, so nothing ever gets done with them. It's not going to do anything about all the bring-your-own-device issues and all the vulnerabilities that exist in mobile apps. There are so many flaws in that bill that it would have been a travesty to pass it."
Then supporters of some level of baseline standards warn that the threats against critical systems such as the electrical grid, oil and gas pipelines and the nation's financial houses are only escalating. The phrase "cyber Pearl Harbor," recently invoked by Defense Secretary Leon Panetta, has often been repeated throughout the debate inside the Beltway (dismissed by some, Westby included, as hyperbole), and in public statements and in testimony before congressional committees, administration officials routinely stress the urgency of the threats and the shortcomings of the nation's defenses.
Many Washington insiders with national security experience are of the same mind. Stewart Baker, a partner at the law firm Steptoe & Johnson who previously served as assistant secretary for policy at the Department of Homeland Security and general counsel at the NSA, noted how the tools to launch a damaging attack have become more automated and far easier to deploy, while an attack like Stuxnet offered "proof of concept" that critical digital systems face a real risk.
"This is an area where regulation probably makes some sense," Baker said. "The idea that no regulation is necessary is irresponsible."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.