CQ NEWS
Jan. 29, 2013 – 8:02 a.m.
Lawmakers Lay Out Cybersecurity Bill Markers Ahead of Expected Obama Executive Order
By Tim Starks, CQ Roll Call
Congressional action on new cybersecurity legislation appears to be on hold as new members bring themselves up to speed on the issues and lawmakers await an executive order from President
It is unclear when Obama will issue the executive order, but it is widely expected to address the thorny question of requiring private companies to protect their computer networks against cyber attacks. Business groups oppose any industry security standards.
In the meantime, lawmakers in the House and Senate are laying down markers for what they want to see in the legislation.
Last week, leaders of the three Senate committees most central to the cybersecurity debate — incoming Homeland Security Chairman
The measure says Congress’ goals should be to strengthen protections for both public and private sector computer networks; improve information sharing between the private sector and government; and develop a public-private partnership to defend against cyber attacks.
The measure doesn’t specify how private sector networks should be strengthened and whether those defenses should include new industry security standards. Last year’s comprehensive Senate cybersecurity bill got hung up over language that would have created security standards for the most important digital infrastructure. Lawmakers could not agree on whether the proposed standards were sufficiently voluntary or whether the incentives for complying with them were adequate.
Emily Spain, a spokeswoman for Carper, said that the senator wants those who resisted last year’s comprehensive legislation to reconsider. She said he is eager to work with them, as well as to see what kind of executive order comes out of the White House. She said he would then determine what kind of legislation might be needed to accompany it.
In the GOP-led House, the most popular approach to cybersecurity legislation echoes the concerns of most industry, emphasizing information sharing between industry and the government and industry but excluding industry security standards.
Supporters of the House approach hope that changes to Congress in 2013 will help usher their proposals through this year.
“What’s new is the new Congress, ” John Engler, president of the Business Roundtable, told reporters this month. “We have an opportunity to really get this right.”
The Business Roundtable, which like many business groups opposes any industry security standards, recently released a proposal for cybersecurity that was much like its previous position, including support for cybersecurity legislation centered on information sharing.
Maryland’s
Lieberman and Collins were two of the most vocal backers, with the White House, of industry security standards for critical infrastructure. They were co-sponsors with Carper, Rockefeller and Feinstein of last year’s comprehensive Senate cybersecurity legislation.
Lawmakers Lay Out Cybersecurity Bill Markers Ahead of Expected Obama Executive Order
“The issues they raised were important issues, but you can’t conquer Rome over night,” Ruppersberger said. “All we’re saying is get our bill passed and we’ll deal with those issues later, as far as homeland security issues. They’re important, and we have to deal with them, but you can’t do it overnight.”
The concern from security experts, the White House and others who supported last year’s standards-centric Senate legislation is whether any legislation that excludes standards will be effective.
That’s where the executive order might come in, said James Lewis, a cybersecurity expert at the Center for Security and International Studies.
“I think we will see an executive order that, if it looks anything like the drafts, will obviate the need for a lot of legislation, although it won’t completely remove the need,” Lewis said. “It will create standards that will eventually tell companies how to secure their networks. That removes a lot of the heat out of the critical infrastructure piece. If they do it right, people will realize it’s not that big a deal.”
But Tom Corcoran, a senior policy adviser to the House Intelligence Committee, said an executive order won’t be able to provide private business with the incentives to share threat information with the government. He noted that both the House-passed information-sharing bill and the Senate’s cybersecurity bill last year included provisions that would have protected businesses from lawsuits stemming from sharing information about cyber threats — something the executive branch could not offer on its own.
Corcoran, who was speaking at a Congressional Internet Caucus event last week, said information sharing legislation shouldn’t be “held hostage” by the issue of industry regulation, since there is no congressional consensus on that issue as there is on information sharing.
Although Congress has struggled to move a cybersecurity bill, congressional aides said further progress toward legislation was possible
“I don’t think there will be any cessation of effort,” Michael Hermann, an aide to
But he added there has been a lot of turnover in Congress since last year, in both the number of new lawmakers and the new leadership of several key panels, and it could take time to get everyone up to speed on the cybersecurity issue.
Besides the Senate Homeland Security and Governmental Affairs Committee, there are new chairmen at House Homeland Security, House Judiciary and other relevant committees.
Jason Cervenak, a senior adviser to the House Judiciary Committee that will now be chaired by
Jennifer Scholtes contributed to this report.