The Failed Cybersecurity Act of 2012
With cyber threats in the news almost daily, there are growing demands for legislative action—but so far little consensus on what kind of measures are needed.
The Cybersecurity Act of 2012 (CSA), the most significant legislative undertaking on cybersecurity issues in the United States to date, was blocked from proceeding to a vote in the Senate on August 2. The CSA is now left to languish as members of Congress return to their districts to prepare for the fall campaign.
In a July 19th Wall Street Journal op-ed supporting the bill, President Barack Obama maintained that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.”
On that point, members of both parties and most of the policy community agree—but on little else. Critics of the recent bill, which changed substantially from its original form, raised objections to the bill’s implications for both privacy and government regulation of businesses.
Civil liberties groups raised an outcry over provisions in the bill that called for increased information sharing between businesses and government. Warning of the potential for misuse of personal information especially by defense-related organizations, the American Civil Liberties Union claimed that an early version of the bill would “unnecessarily threaten our privacy.”
A group of Republicans, led by Senator John McCain of Arizona, voiced opposition to the original CSA provision allowing the government to enforce minimum standards on critical infrastructure services such as power plants and dams. Charging that this part of the law imposes new regulatory burdens on businesses, McCain said in a statement that the solution isn’t “adding more bureaucrats or forcing industries to comply with government red tape.”
Both of these concerns were addressed in a later version of the CSA. The mandatory standards were changed to optional recommendations, and the information-sharing provisions were made fully transparent and revised to exclude non-civilian agencies. The result is a bill that partially addresses a number of major concerns, but fails to update the country’s infrastructure to adequately face the consequences of an attack.
To address cyber threats, any future bill must impose substantive changes to infrastructure management while simultaneously satisfying the concerns of pro-business and civil liberties groups. Unfortunately, given the heightened polarization of today’s Congress, such an outcome appears unlikely.
Now that the bill has failed, there are a number of options the Obama administration can consider. In an interview with BankInfoSecurity.com, EWI Board Member Melissa Hathaway explained that the president could engage with existing advisory panels as well as “industry leaders and/or key companies that have been breached” to galvanize voluntary reforms.
Additionally, in a recent statement that fueled speculation about an impending executive order, White House Press Secretary Jay Carney said that the president “is determined to do absolutely everything we can to better protect our nation against today’s cyber threats.”
Whatever unfolds legislatively, it is becoming increasingly clear that new measures are needed to ensure the security of critical infrastructure—and that a crisis situation in one country is more than likely to reverberate elsewhere. Much as the recent blackouts in India had unprecedented international repercussions, a cyber attack on the United States would severely impact the global economy. The price for inaction could be very high.