recommended reading

Cybersecurity compromise: Responsible move or political cover?

The American flag f, ... ]

The American flag f, ... ] // Manuel Balce Ceneta/AP file photo

In showing flexibility on their demands for cybersecurity standards for the private sector, the White House and Senate sponsors of broad cybersecurity legislation joined the prevailing view that passing a bill is more important than fighting over the details.

After months of closed-door briefings by federal officials intent on impressing upon lawmakers the threat of cyberattacks, the Senate appears to be following the House’s lead in moving forward on cybersecurity proposals that have broadest support while leaving more-contentious issues for another day.

Sponsors of the Cybersecurity Act of 2012 on Thursday introduced new language that drops controversial plans to hand federal officials authority to develop and enforce standards for certain critical computer networks. Instead, the bill provides for businesses to develop standards in exchange for incentives like liability protection. The revised bill also includes more privacy safeguards.

But is the new bill an example of rare bipartisan compromise, or political cover for politicians fearful of appearing weak on national security?

The White House had painted anything short of mandatory standards as “insufficient,” and lead sponsors like Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., say they still think a regulatory approach is needed.

As recently as last week, Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, I-Conn., another lead sponsor, had unequivocally called for legislation requiring minimum cybersecurity standards, and even in announcing the revisions on Thursday he argued the original bill was stronger.

“This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity,” he said in a statement. “If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system.”

Lawmakers and security experts have increasingly said that passing anything, even if not comprehensive, is better than not acting. And that’s a potent message for lawmakers sensitive to being singled out for blame if the worst should happen.

“I don't want to wake up one day and find out America has been hit because of gridlock here,” said Sen. Barbara Mikulski, D-Md., one of half a dozen lawmakers to take to the Senate floor to call for action this past week.

But even if the bill’s provisions become law, will it matter? Some supporters of new federal authority, like the Center for Strategic and International Studies’ James Lewis, are skeptical that any measure that relies solely on voluntary incentives is merely “magical thinking” by lawmakers in a hurry to congratulate themselves for passing a cybersecurity bill.

Lewis believes the White House and its backers were close to winning the argument before they “fumbled on the 10-yard line.”

“Congress keeps coming up with these feeble bills that somehow pretend they’re adequate, but they don’t really do anything,” he said. “I think they just wanted a bill with ‘cybersecurity’ in its title.”

The effort to give federal agencies more standard-setting authority was not one lightly set aside.

The White House’s push for more authority to mandate cybersecurity for critical networks like those used by electric grids and water-treatment plants began more than a year ago when the administration unveiled its cybersecurity legislative proposal.

In that proposal, the White House called for the secretary of Homeland Security to be given the authority to identify critical infrastructure, develop minimum standards in collaboration with businesses, and then enforce those standards if businesses do not adhere to them.

Under the guidance of Senate Majority Leader Harry Reid, D-Nev., leaders of the Senate Homeland Security, Commerce, and Intelligence committees embarked last year on a multi-panel process to produce the broad bill that became the Cybersecurity Act.

The legislation included new authorities for DHS along the lines envisioned by the White House. Despite Reid’s hope to bring the bill straight to the floor in the first weeks of 2012, top Senate Republicans balked, with a string of committee leaders announcing a competing cyber proposal on the same day that the Cybersecurity Act was rolled out in February.

Since then, the bill has been stalled as a range of senators discussed potential compromises. Meanwhile, in April, the House passed a series of cybersecurity bills, including one that the White House threatened to veto over its lack of cybersecurity authority. “Voluntary measures alone are insufficient responses to the growing danger of cyber threats,” the administration said in a statement of policy at the time.

Republicans and industry groups signaled that the new language in the Senate’s Cybersecurity Act is a step in the right direction, but few rushed to give wholehearted support, likely holding out for more changes when the bill is debated as soon as next week.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.