House Republican leaders are standing firm against intense pressure from the White House to embrace regulatory mandates for cybersecurity.
The Obama administration is leaning on Congress to pass legislation that would require some private companies to meet minimum standards for protecting their computer networks.
But GOP leaders in the House are opposed to adding more regulatory mandates on private businesses and are moving forward with cybersecurity legislation next week that would be purely voluntary.
Rep. Dan Lungren (R-Calif.) was working on a cybersecurity bill that would have included new regulatory standards, but he dropped the mandates from the legislation after speaking with Republican leaders.
“I am not going to suggest that it was poorly written or with wrong intent,” Lungren said of the old version of his bill during a markup Wednesday. He said he dropped the critical infrastructure regulations “in an effort for us to proceed” and for the House Homeland Security Committee “to put some stamp” on the cybersecurity debate.
Committee Chairman Pete King (R-N.Y.) said overhauling the bill was a “long, hard decision,” but that if the committee tried to move forward with new regulations, “we will be cut out of the process.”
Rep. Jim Langevin (D-R.I.) said he was “deeply discouraged by the changes made to the bill, apparently with the influence of the majority leadership.”
“House Republican leadership appears determined to approach this vital national-security challenge like every other issue: in an extremely partisan way that impedes progress, in this case siding with those in critical industries who are neglecting public safety,” Langevin said.
Aides to House Speaker John Boehner (R-Ohio) and Majority Leader Eric Cantor (R-Va.) declined to comment.
The House is expected to vote next week on the Cyber Intelligence Sharing and Protection Act (CISPA). The bill, authored by House Intelligence Committee Chairman Mike Rogers (R-Mich.), would encourage companies to share information about cyber threats, but would not make the disclosures mandatory.
The Obama administration criticized the bill in a statement Tuesday evening, arguing it is inadequate.
“The nation’s critical infrastructure cyber vulnerabilities will not be addressed by information-sharing alone,” said National Security Council spokeswoman Caitlin Hayden in a statement.
The White House unveiled its own cybersecurity proposal last May. Officials urged Congress to pass legislation that would encourage companies to share information about online threats while empowering the Homeland Security Department to enforce cybersecurity standards for critical infrastructure systems.
The White House warned that without mandatory cybersecurity standards, hackers could attack a critical system, such as an electrical grid or a water supply, and cause mass chaos.
“Think about how many people could die if a cyberterrorist attacked our air traffic control system and planes slammed into one another,” Sen. Jay Rockefeller (D-W.Va.) said at a hearing earlier this year. “Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington.”
Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) introduced a bill that closely tracks the administration’s proposal, giving the Homeland Security Department new regulatory powers over critical infrastructure.
The White House has endorsed the Lieberman-Collins bill, but Republicans have criticized the measure, warning that it would create a burdensome and unnecessary regulatory environment.
Sen. John McCain (R-Ariz.) said the Lieberman-Collins bill would impose regulations that “would stymie job creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates.”
After McCain introduced his own alternative bill that jettisoned the regulatory provisions, Hayden warned Congress not to resort to “half-measures.”
Senate Majority Leader Harry Reid (D-Nev.) has indicated he will bring the Lieberman-Collins bill up for a vote, but even if the Senate approves the new regulatory powers, the chances of the legislation making headway in the House seem slim.
In a speech on Tuesday, Rogers warned against adopting “big, prescriptive, regulatory ‘thou shalt’-type bills in an arena like cyberspace” and predicted Democrats would have trouble even getting the cybersecurity mandates through the chamber they control.
Rogers said he has already had discussions with Senate Democrats about moving forward with the information-sharing provisions if their effort to pass the regulatory piece fails.
But the White House isn’t giving up.
Tuesday’s briefing with members of the House was just the latest closed-door session where Obama officials tried to impress upon lawmakers the need to address the cybersecurity threats facing the country.
Senior administration officials have held numerous classified briefings with the House and Senate on the danger of cyberattacks on critical infrastructure. Last month, officials performed a simulation for dozens of senators showing how the government would respond to a cyberattack on the New York City electrical grid
“As the president emphasized in the State of the Union, we need Congress to act swiftly to provide the authorities we need to protect the nation’s critical infrastructure from the growing danger of cyber threats,” Hayden said in Tuesday’s statement.