Window closing on cybersecurity bill in Congress

Deadline? What deadline? The deadline for the U.S. Senate to vote on some version of a cybersecurity bill seems to be both amorphous and porous.

Less than two weeks ago, everybody involved was saying if it was going to happen, it would have to be before the end of the Senate's current work period, on June 29.

Majority Leader Harry Reid pledged that he would bring the 2012 Cyber Security Act (CSA), cosponsored by Sens. Joseph Lieberman (I-Conn) and Susan Collins (R-Maine) to the floor for a vote sooner than later.

"I put everyone on notice: We are going to move this bill at the earliest possible date," Reid said on the Senate floor. And Lieberman said at the time that he was confident legislation would go to the floor this month.

That was then. By the middle of last week, June had shifted to July. Nicole Johnson, writing in the Federal Times, said Lieberman told reporters at a cyber briefing by the Department of Homeland Security (DHS) that, "I'm as confident as I can be that this will come up no later than July."

This, said Leslie Phillips, communications director for the Senate Homeland Security and Governmental Affairs Committee, is just the reality of the Senate. "Originally, Sen. Reid said the bill would come up in the first work period. That didn't happen. Then we thought it would come up in the second. That didn't happen. And so on," she said. "The decision is entirely up to the leader."

Not that there isn't plenty of talk about it. In the past two weeks, Lieberman and Collins hosted a demonstration for fellow senators by the DHS' U.S. Computer Emergency Readiness Team (CERT) to show how easily hackers can gain control of a person's computer through spear phishing -- targeted emails crafted to look credible enough to convince an individual to divulge information or open malicious files.

Andrew Couts reported in Digital Trends this week that on the House side, Rep. Mike Rogers (R-MI) said in a panel discussion hosted by The Week magazine that he believes President Obama will sign the legislation he co-sponsored, called the Cyber Intelligence Sharing and Protection Act (CISPA) if it reaches his desk.

The House passed CISPA by a healthy 248-168 on April 26, but the White House issued a statement before the debate on the bill even started saying no bill would be signed that did not ensure the protection of critical infrastructure systems and guard the privacy of citizens. CISPA did neither, the White House said.

However, a number of observers suspect that Rogers might be right. A month after the veto threat, Obama's head of cybersecurity, Howard Schmidt -- a vocal CISPA critic and the administration's voice on such legislation -- retired.

"Furthermore, Obama isn't exactly known for sticking tightly to his guns on vetoes," wrote Andrew Couts on Digital Trends.

And amid the competition between CISPA and CSA is a proposed compromise by Sens. Sheldon Whitehouse (D-R.I.) and Jon Kyl (R-Ariz.) that they hope will settle the debate over how heavy the hand of government should be in regulating industries that operate critical infrastructure by replacing the mandates contained in CSA with incentives for meeting what the proposal calls Baseline Performance Goals. Republicans, especially Sen. John McCain, of Arizona, have said they will not support legislation that "burdens" industry with more regulation.

The proposal is not a bill -- all that has been seen of it so far is a six-page conceptual draft. But it was good enough to prompt a letter from Sens. Olympia Snowe (R-Maine) and Mark Warner (D-VA) to Reid and Republican Senate Minority Leader Mitch McConnell, asking them to set a firm date during the July work period to debate legislation.

While the letter has no direct reference to the Kyl-Whitehouse proposal, it does say, "there is tremendous potential for this chamber to forge a viable solution that incentivizes private sector participation and collaboration" -- the key word being "incentivizes."

Lieberman told reporters at the cyber briefing that he believes his proposal is the best of the several on the table. But he is also aware that the window of opportunity is closing. "The time remaining to do this is growing short," he said.

"We know that the 'lame duck' session will be almost exclusively taken up with the crucial national security debate about reversing the $500 billion in defense cuts mandated by the Budget Control Act, as well as dealing with the expiration of the Bush tax cuts and the payroll tax cuts," Lieberman said.

Paul Rosenzweig, founder of the homeland security consulting firm Red Branch Law & Consulting, and a former DHS policy official, writing on the Lawfare blog this week, agrees. "If there is no action in July before the big August recess there is precious little likelihood of movement this year," he wrote.

If the window does close, it will be a disappointment, but not a huge surprise to experts like Joel Harding, a retired military intelligence officer and now information operations consultant expert and consultant.Ã'Â "We have been discussing this issue for close to 15 years," he said. "I even did my MBA thesis on it."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts