Obama Readies Unilateral Move on Cybersecurity

WASHINGTON – A long-running effort to protect critical infrastructure in the U.S. from cyber attacks collapsed in Congress last year. Despite this setback, different groups have continued their calls for more action in the wake of continuous threats, paving the way for the Obama administration to take the lead on cybersecurity policy – perhaps in an executive order that could come early this year.

After Congress first rejected the Cybersecurity Act of 2012 in August, the Obama administration immediately began drafting an executive document, known as Presidential Policy Directive 20. The White House argued that the danger of a devastating cyber attack against the U.S. was just too great for the executive branch to ignore it. The executive order, unlike the bill, does not need congressional approval, which will undoubtedly open the debate about the directive’s constitutionality.

The executive order will offer voluntary guidelines and a strict set of standards that will help government “more effectively secure the nation’s critical infrastructure by working collaboratively with the private sector,” White House spokeswoman Caitlin Hayden told the Washington Times.

The cybersecurity bill, first introduced by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) in February, called for the creation of a council to develop standards for certain industries such as utilities, pipelines, and financial service companies labeled as “critical infrastructure.” It also aimed to encourage industry to share information with the government about cyber-threats spotted on their networks.

After months of negotiations with privacy and civil liberty groups and industry representatives, the Senate introduced a revised version of the bill last summer. In the hopes of winning over the opposition, the bill’s co-sponsors significantly watered it down, making the cybersecurity standards optional.

Despite disagreements over specific measures, the legislation attracted widespread bipartisan support in the Senate. Many senators agreed with the major provisions of the bill that sought to strengthen the nation’s barriers against cyber attacks. But a rift emerged between the legislators believing that a new regulatory program was necessary because of the private sector’s failure to adequately protect its networks, and those doubting the efficacy of more government regulation in achieving its intended objective.

Back in August, Republicans and business groups strongly opposed the bill that would have imposed minimum standards of security on companies in key industries, claiming it was unwarranted government regulation. After the bill fell short to pass in August, Senate Majority Leader Harry Reid voted against it in a procedural move so that he could bring the bill back to the floor in November.

During the lame-duck session, the Senate came close to passing cybersecurity legislation. But a motion to move forward on the bill failed to secure the 60 votes needed to bring the bill up for passage.

“The bill that was and is most important to the intelligence community was just killed, and that’s cybersecurity,” Reid told the Hill after the vote. “Whatever we do for this bill, it’s not enough for the U.S. Chamber of Commerce. So everyone should understand cybersecurity is dead for this Congress. What an unfortunate thing, but that’s the way it is.”

Opposition to the bill made some legislators break ranks with their party. Four Democrats – Sens. Max Baucus (Mont.), Mark Pryor (Ark.), Jon Tester (Mont.) and Ron Wyden (Ore.) – voted against the motion in November. Three Republicans – Sens. Collins, Olympia Snowe (Maine), and Scott Brown (Mass.) – joined their Democratic counterparts in favor of the bill.

A rival version, the SECURE IT Act, introduced by Sen. John McCain (R-Ariz.) and a group of Senate Republicans in March, focused on improving the sharing of information about cyber-threats, but it did not include any measures aimed at creating security standards for critical infrastructure. The bill failed to gain traction in Congress and among civil liberty groups, including the American Civil Liberties Union.

Many government officials lamented the Cybersecurity Act’s failure. Sen. Daniel K. Akaka (D-Hawaii), senior member of the Senate Committee on Homeland Security, expressed his disappointment that the Senate “once again failed to put partisan differences aside and pass the critical bill.” Defense Secretary Leon Panetta also expressed his disappointment with the Senate for failing to allow the country to enhance its ability to protect itself against threats.

Panetta warned last year of the possibility of a “cyber Pearl Harbor.” He told business leaders attending a meeting of the Business Executives for National Security that the country is increasingly vulnerable to foreign computer hackers who could attack the country’s transportation system, government, financial networks, and power grid.

In a recent report, the Department of Homeland Security (DHS) estimated that more than 40 percent of all reported cyber attacks on critical infrastructure in 2012 targeted the energy sector. Many of the incidents reported to the DHS targeted information that could facilitate remote access and unauthorized operation.

Sustained cyber attacks targeting the websites of a dozen U.S. banks, including Wells Fargo, JP Morgan Chase, and Bank of America, exemplify the growing threat to the financial sector. What makes these attacks suspicious is that they are not carried by opportunists trying to steal data or money, but instead by experts keen on creating significant disruptions. Computer-security specialists say that the attacks showed a level of sophistication that exceeded that of amateur hackers, making it more likely that they were orchestrated by a nation.

“There is no doubt within the U.S. government that Iran is behind these attacks,” former Commerce and State Department official James A. Lewis told the New York Times this month. According to Lewis, the attacks are probably in retaliation for previous cyber attacks on Iran as well as sanctions imposed on the country.

After the intensifying wave of attacks, major U.S. banks have turned to the National Security Agency for technical assistance in an effort to protect their computer systems, the Washington Post reported.

The banks’ request follows a similar push by a trade group for more collaboration between the private sector and government. The Business Roundtable, which represents the chief executive of top U.S. companies, has recently called on Congress to pass legislation aimed at improving the sharing of information between government and industry so companies can thwart cyber attacks quickly. The group, however, cautioned against a “static compliance based regime” that would undermine a more dynamic solution based on information sharing.

Before the Senate vote in November, Lieberman warned of the possibility of an executive order issued by the president if the Senate voted against moving the bill forward. Reid also noted that the order would fall short of what the bill could accomplish, including liability protection that would protect companies from legal action if they are hit by a cyber attack.

In a letter sent to the president in October, a group of Republican senators urged Obama to work with Congress on cybersecurity legislation instead of acting unilaterally in a way that “will solidify the present divide” among stakeholders. The White House is expected to roll out the executive order as early as the end of this month.

As new leaders assume command of the congressional committees in charge of cybersecurity legislation, the prospects of reviving the debate have begun to emerge. A coalition of Senate Democrats, led by longtime cybersecurity legislation supporter Sen. Jay Rockefeller (D-W.Va), introduced on Wednesday a new resolution tackling the issue. “The new Congress has a real opportunity to reach needed consensus on bipartisan legislation that will strengthen our nation’s cybersecurity,” the senators said in a joint statement announcing the bill, called the Cybersecurity and American Cyber Competitiveness Act of 2013.

The new bill outlines legislative intent but does not provide any specific solutions beyond some recommendations to improve collaboration between the private sector and the federal government.