Washingtonians rarely miss an opportunity to tell you how technological innovation has outpaced the law. You'll hear it from progressives who cite it as evidence that regulations need to be strengthened, and you'll hear it from conservatives who say those same regulations ought to be repealed. In either case, the prescription involves some act of Congress. But what if Congress isn't the right body for the job?
On Tuesday, the Senate Commerce Committee approved a version of the cybersecurity bill it's been crafting for the past few months. Dozens of businesses and industry groups chimed in to support the legislation, which now heads to the Senate floor. Yet the bill is also a sign of how timid lawmakers have become on the issue compared to previous attempts.
The new bill codifies an Obama administration move instructing the National Institute of Standards and Technology to develop ideas businesses can use to bolster their online defenses. It also sets up a workforce training plan to produce more IT security professionals. Notably, though, it avoids the changes Obama and businesses have requested most. It doesn't lay out rules for how the private sector can share information about cyberattacks with each other and with the government, and it doesn't provide companies liability protection for cooperating with Washington.
High-ranking members on the panel admit the bill is limited, but they're hopeful that other committees will pick up what's in their jurisdiction.
"It doesn't do everything we need to do to improve our cybersecurity," said Sen. Jay Rockefeller (D-W. Va.), "but it's a good start."
This isn't the first time Congress has tried to shore up cybersecurity. Last year, a bill proposed by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) was rejected in part because businesses worried that it would mean onerous new regulations. CISPA, the House's cybersecurity bill, ambitiously takes on the hard questions that Rockefeller's panel didn't look at this time. But the White House has twice issued a veto threat over CISPA's seemingly expansive terms, a move that effectively dooms the bill.
If those attempts offer any lessons for the Senate, they might sound like this: Don't impose regulations on businesses, and keep a low profile.
The new cybersecurity bill appears to hew closely to those lessons. Following the White House's lead, it taps NIST as the agency in charge of setting up a process to let businesses figure out what security guidelines work best. Agency Director Patrick Gallagher has repeatedly insisted that he's simply acting as a "convener" and that the process will only produce a voluntary framework, not mandatory requirements. It's an arrangement that, politically, works for everyone. Government is mostly out of the way, but it still can claim to be doing something.
There are things that only an act of Congress can accomplish, of course. But given the progression of proposals we've seen over time, placing expectations in the hands of bureaucrats rather than lawmakers might be a safer bet.
We've come a long way if the Senate now cedes this point without adding much else. And it also hints at something wider: If settling cybersecurity demands a level of coordination that only a federal agency is trusted enough to provide, then maybe Congress isn't the solution we're looking for.