Final attempt to pass cybersecurity legislation appears doomed

Republicans say 'no closer to compromise' than last summer

Meet the new U.S. Senate fight over federal cybersecurity legislation -- pretty much the same as the old fight.

That, at least, is the take of cyber security experts who watched the first attempt to pass the 2012 Cyber Security Act (CSA) failed in early August. While Senate Majority Leader Harry Reid is reportedly planning to bring the bill to the floor, possibly this week, there have been few substantive tweaks to a proposal that drew vocal opposition from privacy groups, business groups and most Senate Republicans.

The Hill reported on Saturday that an unnamed Senate Republican aide said, "While we are eager to pass effective cybersecurity legislation, we are no closer to a compromise than we were this summer."

Indeed, the Electronic Frontier Foundation (EFF), while it praised some modifications to the version of the CSA that Reid tried to bring to a vote in August, still celebrated the demise of a bill the group said "would have given companies new rights to monitor our private communications and pass that data to the government."

EFF's Mark Jaycox said the organization remains "adamantly against cybersecurity legislation, while also trying to ensure pro-privacy amendments."

Jaycox pointed to a page on the EFF website that contends that innocuous-sounding words can have not-so-innocuous meanings. "On Capitol Hill, information 'sharing' doesn't mean what you think it means: it's a euphemism that includes monitoring or surveillance of your communications," EFF said.

Alex Wilhelm writes at The Next Web: "The reasons as to why cybersecurity is dead for the moment remain exactly as they were when the issue died in the Senate the first time 'round this year." He was confident enough to make a pledge: "If there is any real progress on cybersecurity that is not led by the President [through an executive order] before the end of the year, I'll eat my mousepad," he wrote.

President Obama, as has been widely reported, does have an executive order drafted that would implement at least some of the provisions of the CSA, including incentives for information sharing between government and the private operators of critical infrastructure.

But Senate Republicans, including Sen. Susan Collins (R-Maine), who cosponsored the CSA with Sen. Joseph Lieberman (I-Conn.), have said the president should not bypass Congress on the issue. Even Democrats, some of whom have urged the president to issue an executive order, agree that an order would not be able to impose statutory authority on all its directives, while legislation would.

[See also: DHS eyes kindergarten for next generation of cybersecurity pros]

Why would Senator Reid even bring it up, since with the election over there is little point in trying to paint Republicans as "soft on terrorism"? James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, told The Hill it is likely more about strategy -- that Reid wants to "test the waters, to shape the landscape for the next Congress."

"Each side is going to push each other a little bit to see where the weak spots are," he said.

Roger Thornton, CTO of AlienVault, said Reid may think the CSA is a safe test. "[It] would be a pretty benign issue to test the waters of compromise before diving into tax and budget matters," he said.

If there is to be any hope of passing legislation in this session or the next, it is likely going to take compromise on both sides. Republicans fault Reid for refusing to allow an "open amendment process."

"A lot of people have good ideas for improving/changing the bill, but they were all blocked from offering their amendments for a vote last time - despite Sen. Reid's public pledge that the bill would be 'subject to as fair, thorough, and open a process as is conceivable,'" an aide to Senate Minority Leader Mitch McConnell told CNET.

But if that is going to happen, Republicans will have to agree to propose only relevant amendments, instead of some they did last summer, having to do with things like abortion, gun control or the Affordable Care Act.

"Amendments that are clearly and directly related to the bill topic should always be an option. That is necessary for collaborative and cooperative lawmaking," said Rebecca Herold, CEO of The Privacy Professor.

"But, tacking on amendments that are not even remotely related to the bill is, quite bluntly, crazy and takes the focus off the importance of the bill's topic. A new law about cybersecurity should be just that. Our lawmakers should not be making the passage of their own pet cause a condition of their backing a bill," she said.

Thornton said Reid and other Democrats should listen to groups like EFF. "They are highlighting a major, major problem," he said. "The poor consumer today is trading an incredible amount of detail about themselves for a specious return in terms of free services like email and web searches. It seems the government is engaged in mining consumer information at a disturbing depth already."

The good news is that there is lots of energy being devoted to securing the nation's infrastructure, "by legions of security practitioners with or without this legislation." The CSA or any other bill, "is not the 'start' of a cybersecurity response," Thornton said.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline