Cybersecurity could be America’s Achilles’ heel, if you believe statements over the past year by President Obama, congressional leaders on intelligence and security, and private-sector operators of critical infrastructure that runs the country.
The next big cyber attack on a crucial element of our economy may strike before you finish reading this article.
A massive hack at the U.S. Postal Service was revealed just last week — not that the postal service runs the country — following cyber penetrations targeting a prime contractor for the Department of Homeland Security and incidents affecting a long list of America’s favorite blue-chip retailers, financial service providers and others.
The urgency seems indisputable.
But it’s unclear whether cybersecurity will make it onto Congress’ lame-duck agenda over the next month or so.
Cybersecurity bills have piled up in the chute leading to final passage, but it will take a variety of breaks before any of those measures actually reaches President Obama’s desk and becomes law.
Businesses, represented by the U.S. Chamber of Commerce and trade groups such as the Financial Services Roundtable and Information Technology Industry Council, are putting their weight behind legislation to make it easier for companies to share information about cyber threats both with government and among themselves.
Senate Intelligence Committee Chair Dianne Feinstein, D-Calif., who surrenders the gavel to the new Republican majority in January, and the committee’s retiring ranking member, Sen. Saxby Chambliss, R-Ga., desperately want to pass their Cybersecurity Information Sharing Act during the lame-duck session.
The measure has drawn the ire of civil liberties and civil rights groups over an alleged lack of privacy protections. At the very least, these groups have said, National Security Agency reforms must come before anything like Feinstein-Chambliss is considered.
“Snowden killed information sharing,” attorney Brian Finch said at a meeting on cybersecurity policy in Washington last week. Finch supports the information-sharing bill but said ex-NSA contractor Snowden’s leaks poisoned the well for all kinds of cyber legislation.
Majority Leader Harry Reid, D-Nev., has now set the stage to bring an NSA reform bill to the Senate floor.
That could remove a high hurdle in the way of several cybersecurity measures, although nothing will be straightforward when it comes to setting cyber policy on Capitol Hill. The NSA reform bill by Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., has bipartisan support, but also some important opposition, including from Chambliss. How it will be received in the House remains to be seen.
Even if Leahy’s bill were to pass both chambers, the Feinstein-Chambliss information-sharing bill might not have a clear path: The Obama White House has expressed deep concerns over that piece of legislation.
Obama’s team promised to veto a similar cybersecurity information-sharing bill from retiring House Intelligence Committee Chairman Mike Rogers, R-Mich., which was passed by the House.
The White House and leaders of the congressional intelligence committees discussed compromise language last summer, but it’s not clear whether those talks yielded the makings of deal.
The Obama administration has called on Congress for months to put aside controversial information-sharing legislation and instead pass a widely supported cyber bills.
The Postal Service hack could provide momentum for these. Measures addressing the Department of Homeland Security’s role in cybersecurity, its cyber workforce and the safety of federal computer networks could benefit, for instance.
“This latest report of a cyber breach on the U.S. Postal Service is further proof that our federal government is targeted just as much as the private sector in cyberspace,” said Senate Homeland Security and Governmental Affairs Chairman Thomas Carper, D-Del.
“Our committee has approved three bills that take important steps in our effort to modernize our nation’s cybersecurity programs and help the public and private sectors work together to tackle cyber threats more effectively in the future,” Carper said. “We need to redouble our efforts … and get these bills signed into law before the end of the year.”
Sources on the House and Senate homeland security committees said productive talks are under way that could lead to passage of the three bills during the lame duck session.
Another bipartisan bill, passed by the Senate Commerce Committee, would codify the role of the National Institute of Standards and Technology in convening a public-private partnership on cybersecurity.
In fact, NIST is playing that role already and its framework of cybersecurity standards, released in February, has become the central arena for cyber policymaking at the federal level.
Over 3,000 people have participated in the process of developing NIST’s framework, Commerce Department General Counsel Kelly Welsh said last week, emphasizing that the voluntary approach has maximized the number of industry and other stakeholders at the table.
The Obama administration is also trying to reassure industry that it won’t pursue antitrust actions against companies that share information to help prevent cyber attacks.
Such protection is a key element of the Feinstein-Chambliss bill; the administration seems to be saying legislation isn’t needed to accomplish this objective. Welsh and other Obama officials are even stressing that the framework can provide liability protection for companies in the event of shareholder suits and other legal actions related to cyber incidents.
Those are all messages business wants to hear.
Further, NIST in late October conducted a well-attended workshop in Tampa, Fla., where officials emphasized that they are trying to foster an industry-led approach to cybersecurity — as the business community, and certainly congressional Republicans, want to see. But these steps can’t replace actual changes in law that provide legal certainty to businesses that are trying to define their own roles in cybersecurity, according to industry leaders.
Both the Obama administration and congressional leaders on security issues placed cybersecurity at the top of the pile of priorities in early 2013.
Whether the 113th Congress, in its dying days, can produce anything to improve the nation’s cyber posture, is a question that is about to get an answer.
Charlie Mitchell is editor of InsideCybersecurity.com, a service covering cybersecurity policy from Inside Washington Publishers.
