The Senate’s plans for debating cybersecurity legislation before year’s end will be shaped in large part by next week’s presidential election, a senior congressional staffer said yesterday.
After Defense Secretary Leon Panetta delivered a dire warning to businesses about the threat of a crippling cyber attack on the United States last month, Senate Majority Leader Harry Reid (D-Nev.) said he will “bring cybersecurity legislation back to the Senate floor when Congress returns in November.” Yet it is not known whether that is the controversial Cybersecurity Act of 2012, which is intended to ensure critical-infrastructure providers better protect their networks by following voluntary threat-protection standards created by the public and private sector. The U.S. Chamber of Commerce opposes the bill, which it views as leading to excessive regulation, and Republicans blocked it in the Senate in August.
Jeffrey Ratner, counsel and senior adviser to the Senate Homeland Security and Government Affairs Committee, said yesterday that “it remains to be seen” if the Senate takes up the Cybersecurity Act of 2012, crafted by committee Chairman Joseph Lieberman (I/D-Conn.) and Ranking Member Susan Collins (R-Maine). The Senate will resume its lame-duck session for the end of 2012 on Nov. 13, a week after next Tuesday’s presidential showdown between President Barack Obama and GOP challenger Mitt Romney.
“I think a lot depends on what happens on Tuesday, because obviously as much policy as there is, there’s also politics, and…you have to kind of see what the new landscape is,” Ratner said yesterday at Washington Post Live’s Cybersecurity Summit.
Obama supports the Cybersecurity Act of 2012 and his administration also has drafted an executive order that would go around Congress and could create cyber-security standards for critical-infrastructure providers.
Ratner, for his part, said the Cybersecurity Act of 2012 could potentially pass the Senate this year. He noted the bill was stalled in August when only 53 senators voted on a procedural step to advance the bill, seven fewer than the 60 votes required. At the time five Democrats voted “No.”
“Post-election, things change, and some of their concerns may be addressed,” he said. “It will be a lot closer.”
Ratner said he thinks regardless of the outcome of the presidential race that Obama will issue the executive order.
The executive order covers much of what is in the Cybersecurity Act of 2012, which also seeks to improve the sharing of cyber-threat information between the private sector and government.
However, an executive order could not create incentives for the critical-infrastructure providers to follow security standards, as the legislation could, Ratner said. Such incentives could include liability protection and preferential consideration in government contract awards for businesses.
“For instance, the government can say, let’s assess the risk in each of the 18 sectors, let’s identify what systems are most at risk, and then let’s work together to come up with some standards and best practices that we can issue (for) people that are voluntary,” Ratner said. “The only problem is you can’t offer incentives like liability protections, which the Congress can.”
The executive order, though, could in theory include penalties for companies that don’t adhere to new standards, he said.
“They can leverage their existing regulatory authority to do that, however in many cases it’s limited,” he said, referring to administration officials.
The Lieberman-Collins bill previously called for such penalties but its sponsors removed them in an unsuccessful attempt to garner more Republican support.
If Obama issues an executive order there is “a possibility” that Lieberman–who is retiring in two months–may try to pass a bill that addresses matters not in the order, Ratner said. Those could relate to information sharing and Department of Homeland Security hiring authorities.
Sen. John McCain (R-Ariz.) and other Republicans support the alternate Secure IT Act, which would create no new federal regulations and instead focuses on removing legal barriers to government and businesses sharing information about cyber attacks. It is similar to the Cyber Intelligence Sharing and Protection Act (CISPA), which the Republican-led House passed and the White House said Obama could veto.