CQ WEEKLY – COVER STORY
May 12, 2012 – 12:16 p.m.
Cybersecurity: Rushing to Stall?
By Tim Starks, CQ Staff
When 2012 dawned, cybersecurity legislation was bathed in a glow of congressional harmony rare during an election year, particularly this one. On both sides of the aisle and on both ends of Capitol Hill, there was broad consensus that the cyberthreat was so severe that Congress had to act immediately. Not acting, officials from two administrations insisted, risked potentially trillions of dollars worth of economic damage from data theft or even a catastrophic attack on computer networks that could, say, push a nuclear power plant into meltdown.
Senate Majority Leader
After several years of wrestling with cybersecurity legislation to no avail, 2012 seemed primed like never before.
But that progress is deceptive. As the debate has become more and more prominent, the differences have become magnified. Pressures that always threatened to block action — disagreement over the role of federal regulations in defending privately owned computer networks, concerns about the privacy and civil liberties ramifications of any bills, and even election year politics — have begun to exert themselves. And the lobbies that have been working for months to sway lawmakers — telecommunications companies, the technology industry, privacy groups and others — have suddenly become huge players behind the scenes.
Now, despite the procedural advancement of cybersecurity legislation, Congress might actually be getting further away from, not closer to, delivering the first major cybersecurity bill to the president.
“It gets harder every week,” says Stewart Baker, who served as assistant secretary for policy at the Department of Homeland Security under President George W. Bush and is now a partner at Steptoe & Johnson, LLP.
The comprehensive Senate bill backed by President Obama and Reid would give the Department of Homeland Security regulatory authority to write new security standards on the most at-risk critical infrastructure owned by industry, such as computer networks tied to the electricity grid or banking system. That has drawn passionate opposition from business groups.
By contrast, legislation brought to the floor last month by House GOP leaders skipped over anything with even the faintest hint of regulation. That has elicited criticism from security hawks and proponents of the Senate bill, who say that without new security standards for industry, the House-passed bills fall far short.
Bills in both chambers have come under attack from privacy and civil liberties groups for provisions aimed at fostering better sharing of threat information between the federal government and businesses, prompting a contingent of lawmakers on both sides of the aisle to vote no or to threaten to do so.
And a more partisan tone has crept into the debate. A group of top Senate Republicans filed a counterproposal to the Reid-backed Senate bill after accusing its sponsors of not taking into account all points of view, even though the sponsors of that bill had repeatedly invited them to negotiations with little success. The Obama administration threatened to veto a House information-sharing bill for reasons that were widely seen by Republicans and industry figures as purely political.
“Business would like to have the information-sharing provisions,” says Baker, “but they don’t want anything on the other topic. The privacy groups don’t want anything on information sharing and are sort of neutral on security standards. Everyone’s mostly lobbying to stop stuff. And the easiest fight is one where you’re just trying to slow a bill down and kill it in an election year.”
Despite the setbacks, Rhode Island Democratic Rep.
Cybersecurity: Rushing to Stall?
“We’re narrowing in and focusing on where those areas of agreement are and where there are differences that need to be resolved,” says Langevin, who co-chaired the Center for Strategic and International Studies’ Commission on Cybersecurity in the 44th Presidency. “Before, we had nothing to go on. Now at least, we’re seeing movement.”
And even those who have felt the anger of business groups and privacy groups say their lobbying has sometimes played a constructive role in the debate, helping to shape bills with their criticisms.
Meanwhile, every week seems to brings news of a major new cyberattack. On May 4, the Homeland Security Department warned of a “gas pipeline sector cyber intrusion campaign.” More such threats could help push the legislation forward, and many lawmakers remain publicly optimistic about the odds of passage.
Still, a growing number of outside observers look at the confluence of forces and fear that 2012 might pass without anything happening at all.
“It’s going to be a tough row to hoe,” says James A. Lewis, director of the Center for Strategic and International Studies’ technology and public policy program.
Cybersecurity has become a particularly complex issue for Congress because the private sector owns almost all of the nation’s most crucial computer networks — an estimated 85 percent to 90 percent of them. That means any catastrophic attack would almost surely target industry in some way. Therefore, any legislation has to wrestle with such topics as whether or how to mandate that businesses comply with security regulations, as well as what kind of incentives could nudge businesses to protect their networks on their own, such as incentives to break down barriers to sharing threat information between businesses and the federal government.
The bill that has drawn the greatest animosity from business groups is the Reid-backed measure, which is sponsored by Senate Homeland Security and Governmental Affairs Chairman
But the section that worries business groups is the one that would lead to the establishment of new security standards for the most at-risk privately owned computer networks.
Under the bill, the Department of Homeland Security would consult with industry to determine which digital infrastructure was most vulnerable to attacks that could result in heavy loss of life or do catastrophic damage to the economy or national security. It would evaluate existing security protocols for those computer systems and work with businesses to set performance standards for vital infrastructure in vulnerable industries.
And it would give those businesses the chance to meet those performance standards as they see fit, through self-certification or third-party audits.
Eventually, businesses out of compliance with the standards could face fines or civil penalties. Those meeting the standards would be protected against lawsuits in the event of an attack.
To some security experts, such as Baker and Lewis, those regulatory provisions are too meek to ensure the security of the most vital networks, and the bill’s sponsors have already bent too far to please business groups.
Cybersecurity: Rushing to Stall?
But establishing some system of security standards, they say, is essential to any cybersecurity legislation. There is no stark partisan line among those experts.
Many top administration officials have endorsed legislatively created security standards for businesses — including, most recently, National Security Agency Director Keith B. Alexander, who wrote in a May 4 letter to Arizona Republican Sen.
At a Feb. 16 hearing on the Lieberman bill, the U.S. Chamber of Commerce explained its opposition to the legislation. Tom Ridge, another former Bush secretary of Homeland Security who also chairs the Chamber’s national security task force, said it gave his old department too much leeway to write strict security regulations, no matter the intention of the bill’s sponsors to keep the bill light on government mandates.
“A light touch can become very prescriptive,” he said. That could lead to economic damage to those companies without many gains in security, Ridge said.
McCain and a number of other Republicans soon introduced their own cybersecurity legislation that addressed many of the same topics as the Lieberman bill, but left out any mention of new security standards for critical infrastructure. The Chamber endorsed that bill.
It also endorsed the House leadership slate of bills as part of a coalition with a number of business groups.
House leaders had earlier planned to include in that slate a measure sponsored by
Businesses have found philosophical allies in tea party conservatives, who fundamentally oppose government regulation. “If you look at the combination of the business groups and tea party guys, they completely overturned the House,” says Lewis.
Says Langevin: “Clearly the private sector — the Chamber of Commerce and that community — have weighed in with Republicans, and Republicans have decided to listen to them that they don’t want any regulation of critical infrastructure.”
That doesn’t mean business groups haven’t conceded some ground elsewhere. Rep.
Business groups agreed to a number of rules aimed at protecting privacy in the Rogers-Ruppersberger bill, Ruppersberger says, although they drew the line at mandatory “minimization” to reduce the amount of personal information businesses pass along to the government. Ruppersberger says business groups have told him that would have been too expensive.
Some lawmakers also say businesses ought to lobby against regulations.
“It is true that businesses are looking after their best interests, and that’s what we expect them to do,” says Rep.
Cybersecurity: Rushing to Stall?
Nor are all businesses speaking with one voice.
“I’ve had no opposition from business,” says Senate Select Intelligence Chairwoman
Matthew Eggers, senior director of national security and emergency management with the Chamber of Commerce, says the group has worked hard to pass cybersecurity legislation, including the Rogers-Ruppersberger bill, which, along with the McCain bill, “point the way toward greater economic and national security.” But it opposes the Lieberman bill.
“Senate leadership needs to cast aside costly and unproven regulatory proposals that would tie the hands of security professionals,” Eggers said. “A new federal cybersecurity program is conceptually not the best approach, and it’s far from certain that it would be managed by government officials in such a way that would return to business owners and operators a dollar’s worth of security for each dollar spent on compliance mandates.”
Power of Privacy
While it is a Senate bill that most perturbs business groups, the Rogers-Ruppersberger bill is the one that has most perturbed privacy and civil liberties groups.
That information-sharing legislation would require the director of national intelligence to issue guidelines for temporary or permanent security clearances to allow the government to share classified cyberthreat intelligence with certified entities. Businesses that shared information with the government would in return be shielded against lawsuits arising from their information sharing.
Privacy groups argue that the bill allows too much personal private information to get into the hands of the federal government without sufficient protections on its use.
They were so opposed to that bill that they spent the week before the House vote — which they labeled “Stop Cyber Spying Week” — campaigning against the legislation in an electronic grass-roots-style effort meant to stir up opposition similar to the tidal wave that drowned a pair of Internet anti-piracy bills last winter.
Rogers and Ruppersberger tried with a series of amendments to win over privacy groups that opposed the bill, but for the most part they were unsuccessful. Privacy advocates say the bill as passed by the House on April 26 would grant overly broad lawsuit protections, allow businesses to share personal private information directly with military agencies and would not do enough to ensure “minimization” of personally identifying information.
The administration threatened to veto the bill in part because it didn’t include any security standards for critical infrastructure and in part because the White House contended that it didn’t provide enough privacy protections. Democrats and Republicans alike said it didn’t make sense to threaten to veto a bill for provisions that were absent, particularly when the bill contained other things the administration favored. And some cybersecurity experts sensed that in criticizing the bill’s privacy protections, the administration was trying to cater to the political left, which was up in arms about the issue.
The bill passed the House by a wide margin, but significant numbers of Republicans and Democrats voted against it. One technology lobbyist says Rogers had tried to gain support of some privacy groups with changes to his bill beforehand because he feared that Republicans would abandon the legislation, fearing a constituent backlash like the one from the anti-piracy legislation.
Rogers says that wasn’t the idea.
Cybersecurity: Rushing to Stall?
“We were trying to get to a bill where people would say, ‘Yeah, that’s rational,’” Rogers says, adding that he had his own personal reservations about government intrusion. “I have privacy concerns. I have no interest in having people’s personal data flying around government circles.”
The fight will move to the Senate soon. A coalition of civil liberties groups announced last week that they would oppose the Lieberman legislation because, as they wrote in a letter to senators, it would “allow companies, ‘notwithstanding any law,’ to share sensitive Internet and other information with the government without sufficient privacy safeguards, oversight or accountability.” A Lieberman spokeswoman says the senator is working with those groups to make revisions to the bill.
It’s not clear yet what percentage of senators would vote against that bill purely on the basis of whether it adequately safeguards privacy, but at least one senator was recently highly critical of both the Lieberman and the McCain bills.
“Both of these bills sweep aside decades of privacy laws,” Minnesota Democrat
Commerce, Science and Transportation Chairman
Thornberry says the privacy issue does have political potency, though. “If you get people frightened on privacy issues, you’ll get people in both parties bolting,” he says.
Rogers has criticized some groups, namely the American Civil Liberties Union, for opposing any cybersecurity legislation no matter what. Michelle Richardson, legislative counsel for the group, says that’s not her organization’s view. She says the ACLU has no problem with some of the other House-passed bills, such as the two that deal with cybersecurity research and development, and doesn’t object to most provisions of the Lieberman bill. And, she says, she can envision a narrowly tailored information-sharing bill that the ACLU could support.
But there are circumstances in which Richardson says the ACLU would be happy with no cybersecurity legislation at all, citing surveillance-related legislation that Congress has enacted in recent years and never modified afterward.
“No bill is better than a bad bill,” Richardson says. “Once this passes, we’re stuck with it.”
Election Year Politics
Overall, whether lawmakers are most worried about regulation, privacy, or something else, the election year is amplifying the urge to resist cybersecurity legislation.
Already, the combination of lawmakers who are worried about privacy or regulation amounts to a “potent mix,” says Jim Dempsey, vice president for public policy with the Center for Democracy and Technology.
And election years tend to inject partisanship into issues where party lines would otherwise be less relevant, says Lewis. “An election year is a bad idea to try to do this,” he says. “People are taking a step back and looking at it through a partisan lens.”
Cybersecurity: Rushing to Stall?
Adds Baker: “What you worry about is that people start thinking that maybe if the other side wants it, it must be bad for them, and backing away from progress that could otherwise be made. We are seeing a little of that. The president’s bizarre veto message is part of that. Senate Republicans hardening their opposition is troubling.”
All the sides remain confident in public right now that they will get their way and are trying to avoid sacrificing their goals. Rockefeller says he isn’t open to compromising on security standards for critical infrastructure to get more Republicans on board. “Definitely not,” he says. “That’s like giving up the basic national security protection of the country.”
Thornberry says passing an information-sharing bill this year would be a good start, since there is the most agreement on that topic. If need be, Congress can come back later to some of the thornier questions on topics such as critical infrastructure security standards.
“All this progress we’ve made to this point is not going to matter much if there is no bill signed into law on any issue,” he says.
Ambreen Ali, Jennifer Scholtes, Emily Cadei and Rob Margetta contributed to this story.
FOR FURTHER READING:
The Lieberman legislation is