Settling for half a loaf, or maybe two thirds, Senator Joe Lieberman (I-Conn.) and his cybersecurity colleagues massaged their landmark Cybersecurity Act of 2012 in hopes of getting something down before the long August-to-Labor Day recess.
As we’ve reported, the differences within the Senate were never about updating what federal agencies should do about their own networks’ security. The Lieberman bill and the competing bill from Arizona Republican John McCain differed a lot, however, in how much the government could regulate the cybersecurity practices of private sector operators of critical infrastructure.
In a bid to bridge the differences, the Lieberman camp made some amendments to ease what some businesses had stated would be costly impositions. Too late, the White House even jumped into the fray, trotting out Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, and John O. Brennan, the White House counterterrorism adviser. The White House even had an opinion piece under President Obama’s byline run in the Wall Street Journal.
The Washington Post and other media described the early August failure of the revised bill as caused by a “GOP filibuster” or similar Republican intransigence, or by “fierce” lobbying by utilities. They described the bill as “weakened.” None of this is completely accurate. Other reports pointed out that the Senate Minority Leader, Republican Mitch McConnell, still wants cyber legislation. But McConnell had offered an amendment to repeal the Affordable Healthcare Act – a worthy goal if you agree but hardly a good thing to attach to a bipartisan cybersecurity bill. The problem is also described as Majority Leader Harry Reid calling for cloture before any hearings or inter-party discussions on the amendments. In other words, political muscle prevailed more so than lobbying.
You can pretty much pick your villains here.
In the revised Lieberman bill, the Homeland Security Department is pulled from its intended role as essentially a regulator of cybersecurity practices. In its place the revised bill substitutes a government-industry panel, to be chaired by the Secretary of Homeland Security. It would come up with guidelines and voluntary standards – with goodies like protection from liabilities for companies who adopt them.
It’s not as if every system operated by every utility would be covered. The bill defines “critical” as “assets whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations.” InfosecurityIsland.com offered this summary of the amendments.
What happens next is anybody’s guess. Nothing until September 10, though, because Congress is in recess until then. A better course of action might be for the passage of those parts of the bill that the two sides agree on. As we’ve noted, the McCain bill used identical language to the Lieberman bill when detailing changes in what the government should do about its networks. Federal approaches to cybersecurity have been changing for some time anyhow.
Less certain is how effective prescriptions for the private sector would be because cybersecurity is such a fast-moving field. At least Congress might have the time to deal with these bills seriously if it crafts and passes the six-month continuing resolution promised just before the recess.