Last Thursday, the Senate failed to pass The Cybersecurity Act of 2012 as the attempt to force a vote on the bill in the face of a Republican-led filibuster fell short, 52-46. With the defeat of the Act, it’s doubtful any cybersecurity legislation will come of this Congressional session. That may not get your blood boiling, but consider a recent global study conducted by the Symantec Corporation (the same folks that sell the Norton Antivirus software) which alleges global cybercrime costs to be over $388 billion annually. If you’re still not sold, just watch WarGames.
While it’s unlikely Matthew Broderick is going to wreak havoc on NORAD headquarters anytime soon, don’t tell General Keith Alexander, head of the National Security Agency, that the United States is safe from cyber attacks. When prompted, Gen. Alexander recently said a damaging cyber attack was imminent, and rated our national cyber defense at a 3 out of 10. With the Act stymied, it’s impossible to know what, if anything, was in line to be improved.
Sponsored by Senators Joe Lieberman, Susan Collins, Dianne Feinstein, and John D. Rockefeller, the Cybersecurity Act of 2012 joins a veritable hoard of cybersecurity legislation that has failed the past several years. As is often the case with regulations involving data privacy and technology, issues of national security are quickly trumped by corporate and personal concerns. The day after the act was introduced, Baker Hostetler‘s Theodore Kobus outlined a few of those concerns on the firm’s Data Privacy Monitor:
“There will be concern about the extent to which a private company, or the government, will be able to monitor cybersecurity threats. However, there are many limitations in place under the current laws regarding a company’s ability to monitor its own information systems. Indeed, that is one of the challenges we face when responding to a data security incident which implicates employee personal information and personal email accounts—even when that information is on a network or computer owned by a company.”
And along with those obvious privacy concerns, there were also the questions of how the government would handle companies that don’t comply with suggested (or mandated) guidelines:
“Another concern that will likely be raised is that the government will able to require compliance by a company by designating an entity as a covered critical infrastructure. However, there are significant protections under the proposed legislation to limit the government’s ability to make such a designation. The unanswered question is how much the civil penalties are going to be for non-compliance once designated, and how tough the government will be when it comes to defining the level of security that needs to be in place to address a vulnerability. “
Concerns aside, the bill itself was designed, among other things, to give the Department of Homeland Security authority over cybersecurity threats. David Fagan has a more nuanced overview of the language in the initial version of the Act over on Covington‘s Inside Privacy:
“As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.”
In his post, Fagan goes on to discuss the other elements of the Act, including 1) the creation of the National Center for Cybersecurity and Communications in the DHS, 2) mandated “education and awareness campaigns” in concert with other programs to continue the advancement of increased cybersecurity, and 3) plans to expand the United States’ presence in the international cyber community.
As the Act faced pressure to change certain provisions, the co-sponsers went back to the drawing board to revise portions of the bill. On July 19th, the bill was reintroduced with several changes. Another contributor to Inside Privacy, Kristen Eichensehr, had the details on what was new:
“The new CSA2012 (S. 3414) takes a different approach than the original version to cybersecurity of critical infrastructure. The original bill would have given the Department of Homeland Security (“DHS”) authority to designate “systems or assets” as covered critical infrastructure and to require owners and operators of designated critical infrastructure to meet cybersecurity performance requirements, established by DHS. The new CSA2012, on the other hand, would rely on voluntary private sector compliance with cybersecurity standards. As Senator Lieberman explained, the revised bill relies on “carrots instead of sticks.””
To read a thorough breakdown of the newest iteration of the Act, check out Jennifer Archie and Kevin Boyle’s post over on Global Privacy and Security Compliance Law Blog.
Like most revisions to legislation, changes were made to appease opponents of the bill, which in this case included the U.S. Chamber of Commerce and a stronghold of Republicans led by Senator John McCain. And it’s not as though the opposition was without reason. Vague language and conflicting provisions made following the Act difficult at best. Even the revisions, while broadly supported, created new conflicts, as Stewart Baker, former first Assistant Secretary for Policy at the Department of Homeland Security, brought to light on the Steptoe Cyberblog:
“The reality is, privacy groups have added so much baggage to the information sharing provisions that the new law is nearly useless to private sector companies who want to improve cybersecurity. In fact, it may impose an entire new regulatory and liability yoke on companies that treat cybersecurity seriously.
….
If their goal was to make information sharing so complex that it’s nearly impossible to do, they’ve just about managed to achieve it. Indeed, there’s a real risk that the new provisions will end up creating new limitations on information sharing, new liabilities for security officers, and new legal protections for the people breaking into our networks.”
Many internet denizens may remain skeptical of Baker’s zeal for eradicating privacy restrictions when combating cyber criminals, but “hackers” (if that’s what we must call them) are a merciless sort; prone to exploit any hole, be it legal or technological, to their advantage. Regardless, Baker’s post is simply a must read for anyone interested in the Act.
When the revised bill hit the Senate floor, it was clear serious opposition to the CSA remained. As Baker Hostetler’s William Weber pointed out, while there is broad support for cybersecurity legislation, how to go about it remains the topic of “fierce” debate:
“As this blog has described since the beginning of the year, there is widespread support among Democrats, Republicans, and the White House on the need for cybersecurity legislation. But there is fierce disagreement over what it should look like. A principal issue all along has been whether the bill should impose certain security standards on the private sector, with which most of the nation’s critical infrastructure resides, or set up a voluntary program.”
In addition to these regulatory disagreements, there were also political realities at play:
“It’s hard to tell how this will end up. With the elections only three months away, at least 1/3 of the Senate is very sensitive to lobbying by key constituencies and Members may decide that the Hippocratic oath / political rule of thumb “first, do no harm” means don’t pass an obscure bill the public isn’t clamoring for. But outside-the-beltway events such as the massive power outages across India (which so far don’t appear to involve cyber breaches) may yet spur action, as no candidate wants to be caught flat footed were a cybersecurity incident to occur before November 6.”
With the benefit of hindsight, it seems obvious the bill was doomed to fall short of its goal in the Senate. But what actually happened? After the failed cloture vote, Stewart Baker explained the influences outside the Senate floor that played a part in blocking the Act:
“The US Chamber of Commerce is the Democrats’ favorite whipping boy. But in this case the Democrats are right. The Chamber wanted this bill dead, and it rejected substantial efforts to accommodate its concerns on the part of Senators Lieberman, Collins, and Kyl — none of whom are exactly enemies of business.”
But as Baker writes, lobbyists weren’t the only culprit here:
“Sen. McCain played the largest role in rallying opposition to Collins-Lieberman and then was unable or unwilling to deliver a compromise when the chips were down. I’ve worked with him. I respect him. He’s an honest patriot. But he miscalculated badly here.
So did the President. In fact the President probably contributed as much as Senate Republicans to collapse of the bill. When the House was considering cybersecurity legislation, the White House it issued a veto threat against CISPA on fairly flimsy grounds — mainly its half-a-loaf nature and some remarkably trivial differences over privacy protection”
Whatever the cause, it appears cybersecurity will have to wait another year to be strengthened by legislation (though the Obama Administration may push for a quicker fix). Of all the recent attempts at creating a regulatory framework to bolster our international and domestic cyber defenses, this act represented the best new hope, but was deeply flawed. Somewhat similar to SOPA and PIPA, the CSA ran into a buzzsaw of privacy interests and corporate fears, and by the time the bill reached the Senate floor there was no chance it would end up on President Obama’s desk. Maybe next year, but I wouldn’t hold your breath.