Final attempt to pass cybersecurity legislation appears doomed

Meet the new U.S. Senate fight over federal cybersecurity legislation -- pretty much the same as the old fight.

That, at least, is the take of cyber security experts who watched the first attempt to pass the 2012 Cyber Security Act (CSA) failed in early August. While Senate Majority Leader Harry Reid is reportedly planning to bring the bill to the floor, possibly this week, there have been few substantive tweaks to a proposal that drew vocal opposition from privacy groups, business groups and most Senate Republicans.

The Hill reported on Saturday that an unnamed Senate Republican aide said, "While we are eager to pass effective cybersecurity legislation, we are no closer to a compromise than we were this summer."

Indeed, the Electronic Frontier Foundation (EFF), while it praised some modifications to the version of the CSA that Reid tried to bring to a vote in August, still celebrated the demise of a bill the group said "would have given companies new rights to monitor our private communications and pass that data to the government."

EFF's Mark Jaycox said the organization remains "adamantly against cybersecurity legislation, while also trying to ensure pro-privacy amendments."

Jaycox pointed to a page on the EFF website that contends that innocuous-sounding words can have not-so-innocuous meanings. "On Capitol Hill, information 'sharing' doesn't mean what you think it means: it's a euphemism that includes monitoring or surveillance of your communications," EFF said.

Alex Wilhelm writes at The Next Web: "The reasons as to why cybersecurity is dead for the moment remain exactly as they were when the issue died in the Senate the first time 'round this year." He was confident enough to make a pledge: "If there is any real progress on cybersecurity that is not led by the President [through an executive order] before the end of the year, I'll eat my mousepad," he wrote.

President Obama, as has been widely reported, does have an executive order drafted that would implement at least some of the provisions of the CSA, including incentives for information sharing between government and the private operators of critical infrastructure.

But Senate Republicans, including Sen. Susan Collins (R-Maine), who cosponsored the CSA with Sen. Joseph Lieberman (I-Conn.), have said the president should not bypass Congress on the issue. Even Democrats, some of whom have urged the president to issue an executive order, agree that an order would not be able to impose statutory authority on all its directives, while legislation would.

[See also: DHS eyes kindergarten for next generation of cybersecurity pros]

Why would Senator Reid even bring it up, since with the election over there is little point in trying to paint Republicans as "soft on terrorism"? James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, told The Hill it is likely more about strategy -- that Reid wants to "test the waters, to shape the landscape for the next Congress."

"Each side is going to push each other a little bit to see where the weak spots are," he said.

Roger Thornton, CTO of AlienVault, said Reid may think the CSA is a safe test. "[It] would be a pretty benign issue to test the waters of compromise before diving into tax and budget matters," he said.

If there is to be any hope of passing legislation in this session or the next, it is likely going to take compromise on both sides. Republicans fault Reid for refusing to allow an "open amendment process."

"A lot of people have good ideas for improving/changing the bill, but they were all blocked from offering their amendments for a vote last time - despite Sen. Reid's public pledge that the bill would be 'subject to as fair, thorough, and open a process as is conceivable,'" an aide to Senate Minority Leader Mitch McConnell told CNET.

But if that is going to happen, Republicans will have to agree to propose only relevant amendments, instead of some they did last summer, having to do with things like abortion, gun control or the Affordable Care Act.

"Amendments that are clearly and directly related to the bill topic should always be an option. That is necessary for collaborative and cooperative lawmaking," said Rebecca Herold, CEO of The Privacy Professor.

"But, tacking on amendments that are not even remotely related to the bill is, quite bluntly, crazy and takes the focus off the importance of the bill's topic. A new law about cybersecurity should be just that. Our lawmakers should not be making the passage of their own pet cause a condition of their backing a bill," she said.

Thornton said Reid and other Democrats should listen to groups like EFF. "They are highlighting a major, major problem," he said. "The poor consumer today is trading an incredible amount of detail about themselves for a specious return in terms of free services like email and web searches. It seems the government is engaged in mining consumer information at a disturbing depth already."

The good news is that there is lots of energy being devoted to securing the nation's infrastructure, "by legions of security practitioners with or without this legislation." The CSA or any other bill, "is not the 'start' of a cybersecurity response," Thornton said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwarelegalsoftwareCyber Security Act of 2012data protectioncybercrimeElectronic Frontier Foundation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place