Senate to Reconsider IT Security BillCan Lawmakers Resolve Stalemate over Cybersecurity Act?
Whether U.S. Defense Secretary Leon Panetta's dire outlook on cybersecurity is as stark as he outlined in a policy address last week [see In His Own Words: Panetta on Cyberthreats], his remarks provided the catalyst to get the Senate to reconsider cybersecurity legislation it blocked in August [see Senate Votes to Block Cybersecurity Act Action].
Still, the fact that debate over the Cybersecurity Act of 2012 will be resurrected after the November U.S. elections doesn't mean significant cybersecurity legislation will be enacted this year.
"I will bring cybersecurity legislation back to the Senate floor when Congress returns in November," Senate Majority Leader Harry Reid, D-Nev., declared in a statement over the weekend. "My colleagues who profess to understand the urgency of the threat will have one more chance to back their words with action, and work with us to pass this bill."
In his address, Panetta said the U.S. government and key IT systems remain vulnerable without enactment of cybersecurity legislation, specifically citing the Cybersecurity Act of 2012. While waiting for enactment of cybersecurity legislation, Panetta said the administration continues working on an executive order to deal with cyberthreats. "But, very frankly, there is no substitute for comprehensive legislation," he said.
What's missing from Panetta and Reid's remarks, as well as those made by the mostly Democratic sponsors of the Cybersecurity Act and its Republican foes, is how the stalemate that led to the filibuster could be resolved. All sides agree that key government and business IT systems remain vulnerable to a serious cyberattack and the need exists for both sides to negotiate on a cybersecurity bill. But no one has yet shown how a compromise could take shape.
At the center of the impasse is the Republicans' insistence that the government play no role in developing IT security standards the private owners of key IT infrastructures should adopt, even voluntarily. That's a key provisions of the Cybersecurity Act. Democrats, who won the support of five Republican senators for the bill, generally believe government and business should collaborate in drafting IT security practices that businesses can freely adopt or not.
Another divisive issue revolves around information sharing. All parties in the debate agree that businesses and government must share information about cyberthreats with each other to build the best defense against attacks. And they agree that businesses must be protected against legal action if they share information in good faith.
But the Obama administration, many Democrats and privacy and civil-liberties groups contend the House-passed Cyber Intelligence Sharing and Protection Act, known as CISPA, favored by most Republicans, plays lip service to privacy and civil-liberties protection, a viewpoint the GOP disputes [see Obama Threatens to Veto Cybersecurity Bill].
A Possible ResolutionThe outcome of the November election could resolve the standoff.
Five Democrats joined 40 Republicans to continue the filibuster on the Cybersecurity Act (Reid switched his vote to extend the filibuster as a parliamentary move so he could bring it up again), but some Democrats objected to the bill because they feel it didn't go far enough on civil liberties and privacy protection, not because they oppose the government establishing standards. Should Obama win reelection, and the five Democrats can be cajoled to vote for it, then only two more Republican votes would be needed (along with Reid's vote) to muster the 60 votes needed to end the filibuster. Then, a Senate-House conference committee could tackle the differences between the Cybersecurity Act and CISPA.
However, if Mitt Romney wins the election, and Republicans gain control of the Senate and expand their majority in the House, it's likely that GOP leaders would wait until next year to tackle cybersecurity legislation when a bill similar to CISPA would have a better chance of passing both houses.
What's unknown is how much pressure will be put on Congress to enact cybersecurity legislation. The fact, as Panetta pointed out, is that cyberspace is getting more dangerous, and Congress needs to act to shore up cyber defense.
Panetta is 'Dead On'
How real are the perils Panetta describes? Richard Stiennon, author of the book Surviving Cyberwar, says the defense secretary's assessment of cyberthreats is "dead on," although he doesn't believe the Cybersecurity Act would provide the needed protections. "A very disruptive attack against the power grid, manufacturing, chemical plants, you name it, is so easy that all that is lacking is an enemy that wants to exploit those weaknesses," he says.
Although Panetta raised the specter of an aggressor nation or extremist group wreaking devastation, his warnings were not as ominous as those voiced by others in the administration, Congress or elsewhere. "It was notable that he actively downplayed the national importance of cybercrime," says Allan Friedman, research director of the Center for Technology Innovation at the Brookings Institute. "Perhaps most notable was the absence of any mention of economic espionage or supply chain interference."
Friedman also points out Panetta did not address two of the largest issues, which, not coincidentally, focus on China: the theft of American and Western competitive industrial data and the risks of flawed or malicious code and products being introduced into American markets through attacks in the industrial supply chain. "While China is not the only potential threat in this arena, it has been held out as the primary concern, and multiple instances of both types of attacks have been observed," he says.
Earlier this month, a House intelligence committee recommended that U.S. government systems refrain from using telecommunications equipment produced by two Chinese companies, Huawei and ZTE, because of concerns the Chinese government could order the manufacturers to program the components to pilfer sensitive and classified information [see House Panel: 2 Chinese Firms Pose IT Security Risks]. The Obama administration has reserved comment on the committee's recommendation: "The administration has been working closely with the telecommunications industry to identify national security risks and we are consistently developing strategies to mitigate against those risks, bringing to bear the tools of all the relevant U.S. departments and agencies. We are committed to being vigilant to ensure that our national security interests are protected."
Cybersecurity as a Campaign Issue
Will Romney jump on the administration's reserved response to the intelligence panel's recommendation?
So far, he hasn't. Cybersecurity as an issue has yet to surface in the presidential campaign [see 2 Vital Cybersecurity Issues that aren't being Debated on the Trail] - or House or Senate contests, for that matter - but the potential exists that it could. With the presidential election three weeks away, and with Obama and Romney set to face off in less than a week in a foreign policy debate, moderator Bob Schieffer of CBS News announced the topics for the Oct. 22 confrontation will include be the rise of China and tomorrow's world. Though no one has yet suggested the cyberthreat from China will be debated before the election, if it is debated, it could shape how Congress might address cybersecurity legislation after the election.