The Senate yesterday continued discussion on comprehensive cyber security legislation, although by our deadline last evening no agreement had been reached on a package of amendments to the bill, which is likely crucial if the bill stands a chance of passage before the August recess begins tonight.
While more than 100 amendments have been offered to the Cyber Security Act of 2012 (S. 3414), only two have been allowed to proceed for votes by Senate Majority Leader Harry Reid (D-Nev.) if a vote on the bill occurs.
As it stands now, if an agreement is reached on what amendments can be offered for separate votes, the Senate would begin debate on those with the plan being to complete those votes and a final vote on the bill sometime today. If no agreement is reached on how to proceed with the amendments, then Reid is expected to call a cloture vote today on the bill that would pave the way for debate on the two amendments he has already agreed to allow debate on followed by a final vote on the bill.
However, absent the amendment package, it’s unlikely that enough Republicans will join Democrats in approving the cloture to enable debate on the Cyber Security Act to proceed. If that’s the case, it will be mid-September at the earliest before the bill is revisited.
The bill was first introduced in February and called for the Department of Homeland Security to set enforceable cyber security standards for certain critical infrastructure in the United States. However, the legislation was revised last month to remove the requirement for mandatory standards. Instead, the bill would offer liability protections to owners and operators of critical infrastructure that adopt best practices and security measures that are industry driven.
The revision also included additional privacy protections and means to bolster information sharing between the private and public sectors related to cyber threats.
Despite the revisions, namely around the elimination of the mandatory standards, Senate Republicans still remain opposed to the legislation.
Last week Sen. John McCain (R-Ariz.), one of the authors of separate cyber legislation that focuses mainly on improving the ability of the public and private sectors to share cyber threat information, detailed his opposition to the Cyber Security Act. He described the “bill’s general inadequacy” being a lack of a “liability protection framework” that would enable a cooperative relationship with the private sector and instead focuses on government mandates and inadequate liability protections.
McCain also objects to bill language that says current federal regulators of critical infrastructure may adopt cyber security practices as mandatory requirements. However, an amendment offered by Lieberman that Reid has agreed to strips this language from the bill.
Reid also agreed to an amendment by Sen. Al Franken (D-Minn.) would remove provisions in the Cyber Security Act that he says would allow “ISPs (Internet Service Providers) and other companies to monitor email and deploy countermeasures indiscriminately. What’s even worse is that these companies would be immune from any lawsuit if they misuse these new powers.”
The Obama administration this week has been holding meetings between its national security leaders and members of Congress urging them to approve the Cyber Security Act. On a conference call with reporters yesterday that was hosted by the White House, U. S. Cyber Command Chief Army Gen. Keith Alexander said that there has been a 20-fold increase in attacks on critical infrastructure between 2009 and 2011 and “what concerns me…is the evolution of these cyber events from exploitation to disruption and our concern is that they are going towards destruction, which would have significant impact not only on Wall Street but also on our critical infrastructure like the power grid and others.”
Should the Senate pass the Cyber Security Act, it will have to work out differences with the House on separate bills. In April, the House approved the Cyber Intelligence Sharing and Protection Act (H.R. 3523) that calls for the intelligence community to share information about cyber threats with appropriate private sector entities but makes any sharing on the private sectors’ part voluntary. However, the bill provides liability protections to the private sector for sharing information with the federal government as an incentive.
CISPA doesn’t address statutory authorities that DHS should have related to cyber security information sharing with the private sector.
John Brennan, the assistant to the president for Homeland Security and Counterterrorism, said on the conference call that the White House has issues with the House bill around privacy and liability protections and said the Cyber Security Act is the “most appropriate bill” currently.