Window closing on cybersecurity bill in Congress

Deadline? What deadline? The deadline for the U.S. Senate to vote on some version of a cybersecurity bill seems to be both amorphous and porous.

Less than two weeks ago, everybody involved was saying if it was going to happen, it would have to be before the end of the Senate’s current work period, on June 29.

Majority Leader Harry Reid pledged that he would bring the 2012 Cyber Security Act (CSA), cosponsored by Sens. Joseph Lieberman (I-Conn) and Susan Collins (R-Maine) to the floor for a vote sooner than later.

“I put everyone on notice: We are going to move this bill at the earliest possible date,” Reid said on the Senate floor. And Lieberman said at the time that he was confident legislation would go to the floor this month.

That was then. By the middle of last week, June had shifted to July. Nicole Johnson, writing in the Federal Times, said Lieberman told reporters at a cyber briefing by the Department of Homeland Security (DHS) that, “I’m as confident as I can be that this will come up no later than July.”

This, said Leslie Phillips, communications director for the Senate Homeland Security and Governmental Affairs Committee, is just the reality of the Senate. “Originally, Sen. Reid said the bill would come up in the first work period. That didn’t happen. Then we thought it would come up in the second. That didn’t happen. And so on,” she said. “The decision is entirely up to the leader.”

Not that there isn’t plenty of talk about it. In the past two weeks, Lieberman and Collins hosted a demonstration for fellow senators by the DHS’ U.S. Computer Emergency Readiness Team (CERT) to show how easily hackers can gain control of a person’s computer through spear phishing — targeted emails crafted to look credible enough to convince an individual to divulge information or open malicious files.

Andrew Couts reported in Digital Trends this week that on the House side, Rep. Mike Rogers (R-MI) said in a panel discussion hosted by The Week magazine that he believes President Obama will sign the legislation he co-sponsored, called the Cyber Intelligence Sharing and Protection Act (CISPA) if it reaches his desk.

The House passed CISPA by a healthy 248-168 on April 26, but the White House issued a statement before the debate on the bill even started saying no bill would be signed that did not ensure the protection of critical infrastructure systems and guard the privacy of citizens. CISPA did neither, the White House said.

However, a number of observers suspect that Rogers might be right. A month after the veto threat, Obama’s head of cybersecurity, Howard Schmidt — a vocal CISPA critic and the administration’s voice on such legislation — retired.

“Furthermore, Obama isn’t exactly known for sticking tightly to his guns on vetoes,” wrote Andrew Couts on Digital Trends.

And amid the competition between CISPA and CSA is a proposed compromise by Sens. Sheldon Whitehouse (D-R.I.) and Jon Kyl (R-Ariz.) that they hope will settle the debate over how heavy the hand of government should be in regulating industries that operate critical infrastructure by replacing the mandates contained in CSA with incentives for meeting what the proposal calls Baseline Performance Goals. Republicans, especially Sen. John McCain, of Arizona, have said they will not support legislation that “burdens” industry with more regulation.

The proposal is not a bill — all that has been seen of it so far is a six-page conceptual draft. But it was good enough to prompt a letter from Sens. Olympia Snowe (R-Maine) and Mark Warner (D-VA) to Reid and Republican Senate Minority Leader Mitch McConnell, asking them to set a firm date during the July work period to debate legislation.

While the letter has no direct reference to the Kyl-Whitehouse proposal, it does say, “there is tremendous potential for this chamber to forge a viable solution that incentivizes private sector participation and collaboration” — the key word being “incentivizes.”

Lieberman told reporters at the cyber briefing that he believes his proposal is the best of the several on the table. But he is also aware that the window of opportunity is closing. “The time remaining to do this is growing short,” he said.

“We know that the ‘lame duck’ session will be almost exclusively taken up with the crucial national security debate about reversing the $500 billion in defense cuts mandated by the Budget Control Act, as well as dealing with the expiration of the Bush tax cuts and the payroll tax cuts,” Lieberman said.

Paul Rosenzweig, founder of the homeland security consulting firm Red Branch Law & Consulting, and a former DHS policy official, writing on the Lawfare blog this week, agrees. “If there is no action in July before the big August recess there is precious little likelihood of movement this year,” he wrote.

If the window does close, it will be a disappointment, but not a huge surprise to experts like Joel Harding, a retired military intelligence officer and now information operations consultant expert and consultant. “We have been discussing this issue for close to 15 years,” he said. “I even did my MBA thesis on it.”