Heated debate over stalled cybersecurity bill pits pro-defense Democrats vs. hands-off Republicans

The cybersecurity bill that went down Thursday to legislative defeat shows the deep schism in Congress that had Democrats siding with traditional national-security defense hawks, and Senate Republicans, who toppled the bill, largely siding with businesses that didn't want government foisting new regulations on them.

SECURITY: French T-shirt company relenting in face of Anonymous threats

The White House today was expressing "profound disappointment" about Republican "obstructionists," claiming that "special interests" were "seeking to avoid accountability" and that the legislation would "better protect our nation from potentially catastrophic cyberattacks." One main point of debate in this now-stalled legislation is whether any new cybersecurity guidelines should be mandatory or voluntary for companies such as electric-power suppliers to follow.

The original cybersecurity bill had made proposed standards mandatory, but even after it was watered down to be more optional, it still didn't win approval from skeptical Republicans who don't want private industry regulated this way. This anti-cybersecurity regulation stance draws fierce criticism from Stewart Baker, an attorney who served at Department of Homeland Security in the George W. Bush administration and the National Security Agency, and whose national-security defense hawk credentials shouldn't be in doubt.

"I would support mandatory requirements because I feel this is a real crisis," said Baker, partner in the Washington, D.C. law office of Steptoe & Johnson.

Long connected in national-intelligence circles, Baker says he's speaking about his own personal point of view when he discusses the now-stalled cybersecurity bill.

Having voluntary standards for security simply isn't sufficient, Baker warns. But he acknowledges any type of new standards related to network security and audits "could be expensive." The North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection guidelines in place today simply aren't enough, he says. Baker has been an advocate of in-depth government-based auditing over networks providing critical electric supply, noting that a number of countries in Asia, including China, follow this practice.

Baker says the need for this kind of government oversight for vital infrastructure may eventually be "learned the hard way" when cyberattacks one day take down the grid or disrupt other critical resources the public takes for granted. But instead of lengthy debate and compromise over cybersecurity legislation, the ensuing panic in a crisis might result in extreme legislation that becomes law.

Industrial control systems (ICS) increasingly involve components that include Windows-based and other network products familiar to enterprise IT shops, and updating ICS-based networks is difficult, companies have admitted, as they did at the recent Industrial Control Systems Working Group meeting organized by DHS in May in Savannah, Ga. And of course, the covert U.S. and Israeli attack by means of the Stuxnet weaponized malware two years ago against the Siemens control systems in an Iranian plant suspected of developing a nuclear weapon has become a clear sign that cyberattacks are real.

One of the problems is that companies are simply in denial about cyberattacks, Baker says. "We have to persuade companies that own the infrastructure that they really are at risk of attacks from adversaries that have names and addresses," he says. He adds the intelligence community should be stepping up to "do a better job" to share information about attackers.

Stewart says the White House is so concerned about the potential for cyberattacks that if the cybersecurity bill fails this time around, he wouldn't be surprised if President Obama might look for the authority to issue an executive order to strengthen the government's hand in regulating critical infrastructure.

Others say they also feel there's a sense of urgency in setting mandatory security and audit requirements that would involve stricter government oversight for industries such as electric power.

Chris Petersen, CTO at LogRhythm, says it's his personal view as someone who feels patriotic toward his country, that it's time to have effective mandatory requirements over critical-infrastructure such as the power grid and water systems.

Petersen says the situation in terms of ongoing attacks already feels like "a perpetual state of war" as attackers, possibly including nation-states, are constantly probing networks. New government regulation probably would add expense, he acknowledges, so it might be a good idea to have some sort of "subsidy" to cover that, he says. "But there needs to be some sort of auditability and enforcement."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place