House Republicans expressed strong resistance Wednesday to any sweeping expansion of the government’s power to regulate private computer networks.
Unlike the comprehensive legislative proposals championed by the White House and Senate Democrats, the recommendations unveiled by the House Republican cybersecurity task force argue against imposing government security standards on private-sector firms. They call instead for a host of voluntary incentives to persuade firms to invest in liability protection, streamlined information security regulations and tax credits.
“If we can get 85 percent of attacks by good hygiene, we ought to encourage good hygiene,” said task force Chairman Mac Thornberry (R-Texas) at a press conference.
The Obama administration has indicated its cybersecurity standards would apply to a wide range of industries, including utilities, financial institutions, communications and Internet service providers. Firms would likely be compelled to comply through publications of security audits and compliance results rather than criminal or civil penalties.
The GOP appears to favor a narrower definition that would include only industries that are already highly regulated, such as nuclear power, chemical plants and water treatment facilities. The Republicans argue Congress should consider additional cybersecurity directives targeted at the existing regulators of those sectors. For other industries, the task force prefers voluntary standards tied to incentives.
A leading cybersecurity expert gave the GOP's plan high marks.
"I think it is pragmatic and achievable. I was very impressed," said Alan Paller, director of research at the SANS Institute.
The task force’s recommendations have the seal of approval from Speaker John Boehner (R-Ohio) and the House GOP leadership, which could set up a conflict with Democrats, especially since Thornberry said the GOP conference is opposed to handling such a complex issue via comprehensive legislation.
The two sides are also at odds over the need for a cybersecurity coordinator or czar within the White House.
“In some areas of our critical infrastructure, it is clear that the current market is not achieving the security gains we need to address current vulnerabilities and future threats,” said Rep. Jim Langevin (D-R.I.) in a statement. “This will require government involvement beyond incentives and voluntary minimum standards. It was also disappointing to not see any effort to strengthen the White House office for cybersecurity.”
The Republicans’ proposal was welcomed by members of the Senate Homeland Security Committee, including Chairman Joe Lieberman (I-Conn.) and Tom Carper (D-Del.), despite the fact the GOP plan departs significantly from their proposal to put the Department of Homeland Security in charge of enforcing the government’s cybersecurity standards.
Thornberry repeatedly expressed confidence that legislation will pass Congress this year.
“We now have broad and bipartisan consensus on the nature of the threat, and on the steps we need to take to address it, both within the government and in the private sector,” Lieberman said. “As cyber crimes and attacks take an increasing toll on our privacy, economy and national security, there is simply no reason we can’t pass bipartisan legislation this year to address this urgent and growing threat.”
“While we might differ in our approaches in some areas, we agree in others,” Carper added.
The conciliatory tone indicates cybersecurity is still nascent enough as a political issue that members on both sides of the aisle would view the passage of any legislation as a political win.
While some cybersecurity experts fear none of the proposals go far enough to ensure companies take adequate security measures, Thornberry vowed that Congress will revisit the issue in the near future.
“We’re looking for progress, not perfection,” he said. “It’s not a one-shot deal.”