WASHINGTON – A long-running effort to protect critical infrastructure in the U.S. from cyber attacks collapsed in Congress last year. Despite this setback, different groups have continued their calls for more action in the wake of continuous threats, paving the way for the Obama administration to take the lead on cybersecurity policy – perhaps in an executive order that could come early this year.
After Congress first rejected the Cybersecurity Act of 2012 in August, the Obama administration immediately began drafting an executive document, known as Presidential Policy Directive 20. The White House argued that the danger of a devastating cyber attack against the U.S. was just too great for the executive branch to ignore it. The executive order, unlike the bill, does not need congressional approval, which will undoubtedly open the debate about the directive’s constitutionality.
The executive order will offer voluntary guidelines and a strict set of standards that will help government “more effectively secure the nation’s critical infrastructure by working collaboratively with the private sector,” White House spokeswoman Caitlin Hayden told the Washington Times.
The cybersecurity bill, first introduced by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) in February, called for the creation of a council to develop standards for certain industries such as utilities, pipelines, and financial service companies labeled as “critical infrastructure.” It also aimed to encourage industry to share information with the government about cyber-threats spotted on their networks.
After months of negotiations with privacy and civil liberty groups and industry representatives, the Senate introduced a revised version of the bill last summer. In the hopes of winning over the opposition, the bill’s co-sponsors significantly watered it down, making the cybersecurity standards optional.
Despite disagreements over specific measures, the legislation attracted widespread bipartisan support in the Senate. Many senators agreed with the major provisions of the bill that sought to strengthen the nation’s barriers against cyber attacks. But a rift emerged between the legislators believing that a new regulatory program was necessary because of the private sector’s failure to adequately protect its networks, and those doubting the efficacy of more government regulation in achieving its intended objective.
Back in August, Republicans and business groups strongly opposed the bill that would have imposed minimum standards of security on companies in key industries, claiming it was unwarranted government regulation. After the bill fell short to pass in August, Senate Majority Leader Harry Reid voted against it in a procedural move so that he could bring the bill back to the floor in November.
During the lame-duck session, the Senate came close to passing cybersecurity legislation. But a motion to move forward on the bill failed to secure the 60 votes needed to bring the bill up for passage.
“The bill that was and is most important to the intelligence community was just killed, and that’s cybersecurity,” Reid told the Hill after the vote. “Whatever we do for this bill, it’s not enough for the U.S. Chamber of Commerce. So everyone should understand cybersecurity is dead for this Congress. What an unfortunate thing, but that’s the way it is.”
Opposition to the bill made some legislators break ranks with their party. Four Democrats – Sens. Max Baucus (Mont.), Mark Pryor (Ark.), Jon Tester (Mont.) and Ron Wyden (Ore.) – voted against the motion in November. Three Republicans – Sens. Collins, Olympia Snowe (Maine), and Scott Brown (Mass.) – joined their Democratic counterparts in favor of the bill.
A rival version, the SECURE IT Act, introduced by Sen. John McCain (R-Ariz.) and a group of Senate Republicans in March, focused on improving the sharing of information about cyber-threats, but it did not include any measures aimed at creating security standards for critical infrastructure. The bill failed to gain traction in Congress and among civil liberty groups, including the American Civil Liberties Union.
Many government officials lamented the Cybersecurity Act’s failure. Sen. Daniel K. Akaka (D-Hawaii), senior member of the Senate Committee on Homeland Security, expressed his disappointment that the Senate “once again failed to put partisan differences aside and pass the critical bill.” Defense Secretary Leon Panetta also expressed his disappointment with the Senate for failing to allow the country to enhance its ability to protect itself against threats.