recommended reading

Cybersecurity compromise: Responsible move or political cover?

The American flag f, ... ]

The American flag f, ... ] // Manuel Balce Ceneta/AP file photo

In showing flexibility on their demands for cybersecurity standards for the private sector, the White House and Senate sponsors of broad cybersecurity legislation joined the prevailing view that passing a bill is more important than fighting over the details.

After months of closed-door briefings by federal officials intent on impressing upon lawmakers the threat of cyberattacks, the Senate appears to be following the House’s lead in moving forward on cybersecurity proposals that have broadest support while leaving more-contentious issues for another day.

Sponsors of the Cybersecurity Act of 2012 on Thursday introduced new language that drops controversial plans to hand federal officials authority to develop and enforce standards for certain critical computer networks. Instead, the bill provides for businesses to develop standards in exchange for incentives like liability protection. The revised bill also includes more privacy safeguards.

But is the new bill an example of rare bipartisan compromise, or political cover for politicians fearful of appearing weak on national security?

The White House had painted anything short of mandatory standards as “insufficient,” and lead sponsors like Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., say they still think a regulatory approach is needed.

As recently as last week, Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, I-Conn., another lead sponsor, had unequivocally called for legislation requiring minimum cybersecurity standards, and even in announcing the revisions on Thursday he argued the original bill was stronger.

“This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity,” he said in a statement. “If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system.”

Lawmakers and security experts have increasingly said that passing anything, even if not comprehensive, is better than not acting. And that’s a potent message for lawmakers sensitive to being singled out for blame if the worst should happen.

“I don't want to wake up one day and find out America has been hit because of gridlock here,” said Sen. Barbara Mikulski, D-Md., one of half a dozen lawmakers to take to the Senate floor to call for action this past week.

But even if the bill’s provisions become law, will it matter? Some supporters of new federal authority, like the Center for Strategic and International Studies’ James Lewis, are skeptical that any measure that relies solely on voluntary incentives is merely “magical thinking” by lawmakers in a hurry to congratulate themselves for passing a cybersecurity bill.

Lewis believes the White House and its backers were close to winning the argument before they “fumbled on the 10-yard line.”

“Congress keeps coming up with these feeble bills that somehow pretend they’re adequate, but they don’t really do anything,” he said. “I think they just wanted a bill with ‘cybersecurity’ in its title.”

The effort to give federal agencies more standard-setting authority was not one lightly set aside.

The White House’s push for more authority to mandate cybersecurity for critical networks like those used by electric grids and water-treatment plants began more than a year ago when the administration unveiled its cybersecurity legislative proposal.

In that proposal, the White House called for the secretary of Homeland Security to be given the authority to identify critical infrastructure, develop minimum standards in collaboration with businesses, and then enforce those standards if businesses do not adhere to them.

Under the guidance of Senate Majority Leader Harry Reid, D-Nev., leaders of the Senate Homeland Security, Commerce, and Intelligence committees embarked last year on a multi-panel process to produce the broad bill that became the Cybersecurity Act.

The legislation included new authorities for DHS along the lines envisioned by the White House. Despite Reid’s hope to bring the bill straight to the floor in the first weeks of 2012, top Senate Republicans balked, with a string of committee leaders announcing a competing cyber proposal on the same day that the Cybersecurity Act was rolled out in February.

Since then, the bill has been stalled as a range of senators discussed potential compromises. Meanwhile, in April, the House passed a series of cybersecurity bills, including one that the White House threatened to veto over its lack of cybersecurity authority. “Voluntary measures alone are insufficient responses to the growing danger of cyber threats,” the administration said in a statement of policy at the time.

Republicans and industry groups signaled that the new language in the Senate’s Cybersecurity Act is a step in the right direction, but few rushed to give wholehearted support, likely holding out for more changes when the bill is debated as soon as next week.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.