The federal government does not have the legal authority to contain computer network meltdowns capable of roiling society and will not obtain that power until at least 2013, said a cybersecurity researcher who advises Congress and the Obama administration.
There is considerable agreement in the House and the Senate that the government should be able to tell private companies running systems vital to Americans -- the power grids, telecommunications lines and financial markets -- how to protect their computers.
But industry pushback and election year politicking are stifling efforts to make security mandatory in critical sectors, said James A. Lewis, a senior fellow at the Center for Strategic and International Studies. He was speaking before government officials and federal contractors at a Thursday briefing hosted by Government Executive, Nextgov's sister publication.
Lewis said during an interview that a former Republican U.S. senior official this week told him there will be a network disruption that devastates the United States, and only then will Congress be held accountable for not regulating cybersecurity.
"In the event of a true crisis, the U.S. doesn't have the authorities to respond effectively," Lewis said. The senior official told him, " 'We're going to have something like a 9/11 commission and all the people who've blocked legislation -- they'll be exposed,' " Lewis said.
Legislation has been languishing in the Senate for a couple of years. Now, there is momentum in the House to move a bill and the Senate is expected to vote on critical infrastructure measures within the next three weeks, according to congressional aides.
But lawmakers who want to pull the teeth out of proposals are prolonging negotiations, Lewis said.
"You've had a cadre of senators who've written good legislation that is now watered down," he said during the event. "Maybe in 2013 we can pull it off."
Technology companies, however, note that prescriptive computer safeguards could have the unintended consequences of obstructing innovation and handicapping efforts to keep pace with evolving threats.
Officials with industry group TechAmerica have asked lawmakers to avoid a uniform, mandated approach to cybersecurity. "We encourage Congress and the administration to draw a bright line between critical and noncritical infrastructure," the organization's president, Phil Bond, stated last spring. "Industry and government need to work together to make the right determinations for what is critical and what the implications are for that designation."
Lewis said in the interview, "There's strong pressure to create really big loopholes." As a result, exemptions are being considered for companies that do not operate systems capable of inflicting "mass casualties," on the scale of Hiroshima, he said.
"We couldn't fix the national debt. How are we going to do cybersecurity?" Lewis questioned. "It's not a good year to be trying this."