Top Guns Lobby for Cybersecurity ActFrontal Assault by Obama Administration to Get Bill Enacted
Presidential counterterrorism adviser John Brennan remains mystified that scores of U.S. senators remain opposed to compromise legislation aimed at toughening America's cyber defenses, even after they attended classified and non-classified briefings on the cyberthreats the nation's critical IT infrastructure faces.
See Also: What is next-generation AML?
Joint Chiefs Weigh In
"We find it hard to believe that there are any reasons or basis to oppose this legislation," said Brennan, one of the top guns the White House brought out Aug. 1 in a full-frontal assault to publicly lobby for passage of the Cybersecurity Act of 2012, S. 3414, an administration-backed bill that calls for the U.S. federal government and business to collaborate in developing IT security standards. "I'm just very puzzled as to why individuals would oppose this."
Even though voluntary standards fall short in our view of delivering a desired level of security under mandatory requirements, we still think that they drive meaningful improvements to the status quo.
On the eve of a Senate cloture vote, the White House hosted a media briefing where Brennan - joined by Gen. Keith Alexander, commander of the U.S. cyber command and director of the National Security Agency; Jane Holl Lute, Homeland Security deputy secretary; and Eric Rosenbach, Defense deputy assistant secretary for cyber policy - outlined the dangers the nation faces if Congress fails to pass the bill.
The legislation would establish a process in which the government and industry jointly develop IT security standards that the owners of the mostly privately-run critical infrastructure could adopt or reject.
After Republican lawmakers objected to any form of government-imposed standards, the Senate measure's sponsors, including Independent Democrat Joseph Lieberman of Connecticut and Republican Susan Collins of Maine, excised language from the original bill that would have given the federal government authority to regulate critical infrastructure.
Battling Chamber Opposition
Still, the U.S. Chamber of Commerce opposes the bill, contending it could impede U.S. cybersecurity by shifting businesses' resources away from implementing robust and effective security measures and toward meeting government requirements.
"Cybersecurity relies on the business community and the federal government working collaboratively," the Chamber says in a statement issued July 31. "The regulatory approach provided in S. 3414 would likely create an adversarial relationship, which should be unacceptable to lawmakers. The Chamber urges Congress to not complicate or duplicate existing industry-driven security standards with government mandates and bureaucracies, even if they are couched in language that would mischaracterize these standards as 'voluntary.'"
Brennan sounded incredulous in reacting to the Chamber stand, which many Republican senators refuse to oppose. "It's incomprehensible that they're opposing this," Brennan said. "The Chamber of Commerce has come out with a statement that I really think misrepresents what this legislation is trying to do and the importance of it. So, obviously there are some interests behind this legislation, but it's one that is not grounded, I think, in facts or national security concerns."
Lute rejected any contention that the legislation places an undue onus on industry because the government is turning to business to help develop the standards. "Surely, it cannot be a burden for industry to safeguard the identity of the customers that they're dealing with," she said. "We know in our conversations that they acknowledge that."
If the White House presenters wanted to scare lawmakers into enacting the bill, they provided the ammunition in the form of statistics. Citing Department of Homeland Security data, Alexander said the nation's critical IT infrastructure grew 20-fold from 2009 to 2011.
"What concerns me is what we're seeing is the evolution of these cyber events from exploitation to disruption, and our concern is that they're going toward destruction, which would have significant impact not only on Wall Street, but our critical infrastructure like the power grid and others," Alexander said. "We have provided classified examples of these to Congress."
Joint Chiefs Weigh In
The orchestrated campaign to win support for the Cybersecurity Act included the release of a letter from Army Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, who urged immediate enactment of the bill and wrote: "Minimum standards will help ensure there is no weak link in our infrastructure. ... Only (a) legislative remedy will enable our nation to adequately address the cyberthreat."
These top administration officials and Army generals made it clear they would prefer to have a bill that would give the government some authority to regulate IT security for critical infrastructure, but said even the weaker bill has value.
"While we prefer there to be mandatory standards, the approach that Lieberman and Collins have taken with the voluntary standards is quite good and absolutely still moves forward strengthening the security of critical infrastructure," Rosenbach said. "The way they do it involving the private sector is very clever, and the way they do it in providing incentives with litigation protection for those who choose to become involved in the program I think is very smart."
Added Lute: "Even though voluntary standards fall short in our view of delivering a desired level of security under mandatory requirements, we still think that they drive meaningful improvements to the status quo, which is unacceptable."
But if history repeats itself, the status quo will prevail. In the 112th Congress, the Senate Democratic majority has never won a cloture vote to stop debate and immediately vote on a bill. And, if the Cybersecurity Act supporters had the necessary 60 votes, they wouldn't have needed to call out these national security heavy-weights to lobby for the bill.