With attempts to push through comprehensive cybersecurity legislation dead for this year, a pending executive order will likely include many of the features of the failed bill.
A final attempt to pass a cyber bill introduced by Senators Joseph Lieberman (I-CT) and Susan Collins (R-Maine) was defeated this week in a 51-47 vote. The bill was blocked by senate republicans who believe that the legislation would lead to more federal regulation of business.
Attention now shifts to the White House, which has been working on an executive order for cybersecurity and protecting national infrastructure for several months. The Obama administration is being tight-lipped about an exact release date for the order, but senate staffers told Breaking Gov that it might come out sometime after the Thanksgiving holiday.
The U.S. Chamber of Commerce has been adamantly opposed to the Lieberman bill since its introduction. Its allies in the Senate had already stopped the bill once in August. In that time, it was hoped that tempers would cool post-election and allow the bill to be passed. But even with amendments designed to mollify the business community, it was still opposed because of fears of additional federal regulation.
Even with the executive order, staffers believe that additional legislation will be needed in the upcoming year.
“We’ll pick up the pieces from there,” one staffer said.
Getting industry to support cyber legislation is important because the best policies and practices are developed in partnership with the private sector, White House spokesperson Caitlin Hayden told Breaking Gov by email. She noted that for decades industry and government have worked together to protect critical assets in a variety of sectors, from airports to nuclear power plants.
“There is no reason we cannot work together in the same way to protect critical infrastructure cyber systems upon which so much of our economic well-being, national security, and daily lives depend,” she wrote.
The White House wants to work with firms contributing to cybersecurity innovation because they can help create and shape best practices, Hayden said. Companies needing to upgrade their security would have the flexibility to decide how best to do so from a wide range of products and services available in the marketplace. The Obama administration is also committed to incorporating strong privacy and civil liberties protection into to any critical infrastructure initiatives, she explained.
Comprehensive legislation is still needed to fully address cyber threats to the national infrastructure, because existing laws don’t allow government to take some of the necessary security steps that are needed, Hayden said. But with hope of any additional legislation dead until next year, she noted that the risk is too great for the administration not to act. Although an executive order is not a substitute for legislation because it does not create new powers or authorities, it does set policy under existing law, she said.
But the issue of cybersecurity isn’t going away. Media coverage of recent cyber attacks, such as the one on Saudi Arabia’s national oil company and Defense Secretary Leon Panetta’s cybersecurity speech have put the topic in the public’s eye, said Clete Johnson, a staffer and legal counsel with the Senate Select Committee on Intelligence. Speaking at a recent cybersecurity symposium, he said that if enough public attention and pressure is put on the issue, it can be a tipping point for Congress to act. The challenge is to avoid reactive legislation, especially if there is an attack on U.S. assets, he said.
There is also a good chance that the Lieberman legislation, or some variant of it, will be picked up again in the 2013 congress, Congressional staffers said. With Senator Lieberman retiring next year, there is some uncertainty about who will spearhead the legislation, but staffers were confident that it will be picked up again. Work is also beginning on the first stages of new cyber legislation for the upcoming year, said Michael Seeds, legislative director for Rep. Mac Thornberry (R-TX).
Although the Chamber of Commerce was instrumental in blocking meaningful cyber legislation, not all business groups were with it on this issue. Several trade associations representing high tech firms have stood with the administration for comprehensive cybersecuity policy.
Technology firms are responsible for building much of the nation’s IT infrastructure and they are pushing their own private sector security initiatives as well as working with the government, said Danielle Kriz, director of global cybersecurity policy with the Information Technology Industry Council.
“We have a vested interest in getting things right,” she said.