The White House had painted anything short of mandatory standards as “insufficient.”
In showing flexibility on their demands for cybersecurity standards for the private sector, the White House and Senate sponsors of broad cybersecurity legislation joined the prevailing view that passing a bill is more important than fighting over the details.
After months of closed-door briefings by federal officials intent on impressing upon lawmakers the threat of cyberattacks, the Senate appears to be following the House’s lead in moving forward on cybersecurity proposals that have broadest support while leaving more-contentious issues for another day.
Sponsors of the Cybersecurity Act of 2012 on Thursday introduced new language that drops controversial plans to hand federal officials authority to develop and enforce standards for certain critical computer networks. Instead, the bill provides for businesses to develop standards in exchange for incentives like liability protection. The revised bill also includes more privacy safeguards.
But is the new bill an example of rare bipartisan compromise, or political cover for politicians fearful of appearing weak on national security?
The White House had painted anything short of mandatory standards as “insufficient,” and lead sponsors like Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., say they still think a regulatory approach is needed.
As recently as last week, Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, I-Conn., another lead sponsor, had unequivocally called for legislation requiring minimum cybersecurity standards, and even in announcing the revisions on Thursday he argued the original bill was stronger.
“This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity,” he said in a statement. “If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system.”
Lawmakers and security experts have increasingly said that passing anything, even if not comprehensive, is better than not acting. And that’s a potent message for lawmakers sensitive to being singled out for blame if the worst should happen.
“I don't want to wake up one day and find out America has been hit because of gridlock here,” said Sen. Barbara Mikulski, D-Md., one of half a dozen lawmakers to take to the Senate floor to call for action this past week.
But even if the bill’s provisions become law, will it matter? Some supporters of new federal authority, like the Center for Strategic and International Studies’ James Lewis, are skeptical that any measure that relies solely on voluntary incentives is merely “magical thinking” by lawmakers in a hurry to congratulate themselves for passing a cybersecurity bill.
Lewis believes the White House and its backers were close to winning the argument before they “fumbled on the 10-yard line.”
“Congress keeps coming up with these feeble bills that somehow pretend they’re adequate, but they don’t really do anything,” he said. “I think they just wanted a bill with ‘cybersecurity’ in its title.”
The effort to give federal agencies more standard-setting authority was not one lightly set aside.
The White House’s push for more authority to mandate cybersecurity for critical networks like those used by electric grids and water-treatment plants began more than a year ago when the administration unveiled its cybersecurity legislative proposal.
In that proposal, the White House called for the secretary of Homeland Security to be given the authority to identify critical infrastructure, develop minimum standards in collaboration with businesses, and then enforce those standards if businesses do not adhere to them.
Under the guidance of Senate Majority Leader Harry Reid, D-Nev., leaders of the Senate Homeland Security, Commerce, and Intelligence committees embarked last year on a multi-panel process to produce the broad bill that became the Cybersecurity Act.
The legislation included new authorities for DHS along the lines envisioned by the White House. Despite Reid’s hope to bring the bill straight to the floor in the first weeks of 2012, top Senate Republicans balked, with a string of committee leaders announcing a competing cyber proposal on the same day that the Cybersecurity Act was rolled out in February.
Since then, the bill has been stalled as a range of senators discussed potential compromises. Meanwhile, in April, the House passed a series of cybersecurity bills, including one that the White House threatened to veto over its lack of cybersecurity authority. “Voluntary measures alone are insufficient responses to the growing danger of cyber threats,” the administration said in a statement of policy at the time.
Republicans and industry groups signaled that the new language in the Senate’s Cybersecurity Act is a step in the right direction, but few rushed to give wholehearted support, likely holding out for more changes when the bill is debated as soon as next week.