President Obama, whose administration once considered such a mandate essential, last week urged passage of the legislation, stating in an opinion piece that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.”
“On balance, we think that voluntary standards will still enable us to make meaningful improvements in cybersecurity,” the White House’s cybersecurity coordinator, Michael Daniel, said in an interview Tuesday. He conceded that the idea of mandatory standards was “legislatively almost impossible” right now, but “that’s the ultimate goal.”
Even voluntary standards are opposed strongly by many in the business sector. And even if the current bill passes the Senate, it must be reconciled with a House bill that lacks any mention of standards and that focuses instead on the exchange of cyberthreat data between industry and government.
In an election year, with budget and tax issues yet to be resolved, that will be a tall order.
Sen. Joseph I. Lieberman (I-Conn.), one of bill’s five main sponsors, urged colleagues not to let “perfect. . .be the enemy of the good” and to proceed to debate this week. He strived to frame the issue as one of national security. “This is not about business regulation. This is about cyber attacks.”
Officials have warned that a cyberattack could overtake terrorism as the top threat to U.S. national security.
The challenge is that the most vulnerable systems — the computer networks that run the nation’s power, water, banking, transportation and communications — are overseen by the private sector. Legislators have sought to strike the right balance between regulating the private sector and encouraging companies to voluntarily tighten security measures.
But the concessions have not mollified business interests, which have powerful influence in the Senate.
“While this sounds appealing on its face, a government-administered program would shift during the implementation phase from being standards based and flexible in concept to being overly prescriptive in practice,” Ann M. Beauchesne, the Chamber of Commerce’s vice president of national security and emergency preparedness, said in a statement.
The bill to be taken up in the Senate has also drawn criticism from those who believe it has been too watered down to ensure the nation’s critical computer systems are secure.
“No bill better than a bad bill,” James A. Lewis, a Center for Strategic and International Studies cyber-expert, tweeted on Monday.
Senators “have two weeks to put some teeth back in,” Lewis said in an interview. “Then they need to make it an up-or-down vote. Are you for national security? Or does that come second?”
Whatever cyber-legislation emerges is likely to call on the government and the private sector to do more to share cyberthreat data, or information that indicates malware in a network. Both the bill endorsed by the White House and a rival GOP bill aim to enhance such data-sharing.
But privacy advocates have concerns about even such technical data being shared with national security and intelligence agencies. Lieberman said the Cybersecurity Act of 2012 has been modified to address those concerns.
A bill passed by the House, sponsored by Intelligence Committee Chairman Mike Rogers (R-Mich.) and the panel’s ranking Democrat, Dutch Ruppersberger (Md.), shields companies from privacy lawsuits for voluntarily turning over cyberthreat data.
The White House has issued a veto threat on the legislation on privacy grounds, but analysts say that a compromise on this issue is feasible.
Senate Majority Leader Harry Reid (D-Nev.) on Tuesday rejected suggestions from GOP colleagues that he delay consideration of the cybersecurity bill until the defense authorization legislation is taken care of.
“Failing to act on cybersecurity legislation not only puts our national security at risk,” he said, but it also “recklessly endangers members of our armed forces and missions around the world.”