The NRA's Influence over Cybersecurity'Don't Give an Inch' on Cyber Regs Mirrors Gun-Control Approach
Don't give an inch. That's the philosophy of those opposing any form of gun-control legislation, and it seems to be the same approach of those opposing any form of cybersecurity regulation over the nation's critical IT infrastructure.
That could be a takeaway from a vote on April 18 in the House Homeland Security Committee, which gutted an earlier version of the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act, or Precise Act, that the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies OK'd Feb. 1 (see House Panel Approves Cybersecurity Bill).
The earlier version of the bill would have required the mostly privately operated national critical infrastructure to adopt information security standards to safeguard their IT systems and networks. It also would have authorized the Department of Homeland Security to coordinate IT security efforts among the federal government's non-defense and non-intelligence agencies as well as the operators of the critical infrastructure. The full committee stripped those provisions from the bill, over the objections of the panel's Democratic members.
House Republican leaders, as well as most ranking GOP members of Senate committees with IT security oversight, have voiced objection to federally mandated standards - or regulations, as they see it - over the private owners of the infrastructure as well as giving DHS a leadership role in cybersecurity matters. The bill's chief sponsor and subcommittee chair, Rep. Don Lungren, R-Calif., conceded that opposition by his Republican colleague prompted the amendment. Lungren, as described by the National Journal, was visibly resigned, and he told the full committee that the bill would never make it to the House floor if those provisions hadn't been diluted. "That's a fact of life," he said.
Democrats expressed their annoyance with the changes. "Unfortunately, despite the best intentions of the many members on the other side of the aisle with whom I have worked on this issue, House Republican leadership appears determined to approach this vital national security challenge like every other issue: in an extremely partisan way that impedes progress, in this case siding with those in critical industries who are neglecting public safety," Rep. Jim Langevin, the Rhode Island Democrat who chairs the House Cybersecurity Caucus, said in a statement issued shortly before the vote.
For more than a decade, Democrats and Republicans have united on creating legislation to govern IT and IT security in government, but it's only been in recent months that partisan rhetoric has surfaced on cybersecurity matters. At the heart of the divide is a philosophical difference on the role of government. Simply, Republicans believe in a hands-off approach, leaving it to the operators of the critical systems to decide how best to defend them. Democrats, for the most part, believe the government has the responsibility to assure the protection of networks vital to the functioning of our society and economy, regardless of their owners.
Provisions for security standards in the original Precise Act, as well as the Obama administration backed Cybersecurity Act of 2012 before the Senate, are seen as compromise legislation. Those provisos call for government to collaborate with the government to create security standards; government alone isn't going to dictate regulations to industry (unless industry refuses to cooperate). Protecting vital networks would be a joint government-business effort. Still, Republicans see such collaborative efforts as the first step down a slippery slope toward restrictive government regulations.
This new divide over cybersecurity legislation mirrors the National Rifle Association's obstinacy on supporting even the mildest form of gun control, such as banning high-capacity ammunition magazines used in the assassination attempt on Rep. Gabrielle Giffords. The same can be said of Republicans in Congress on even the most timid form of regulation, including those created with the help of the very businesses that operate the critical national IT infrastructure.