Cybersecurity Act expected to fail

The Senate’s cybersecurity bill is likely to go down in defeat on Thursday, ending any hope of passing a measure by the end of the year to protect America’s networks.

Unless members strike a last-minute deal, the Cybersecurity Act from Sen. Joe Lieberman (I-Conn.) is expected to fall short of the 60 votes needed to end debate. That would be a defeat for the White House, which made an all-hands-on-deck push to get the bill through Congress.

ADVERTISEMENT
Members were working feverishly Wednesday to try to salvage the bill before the August recess. Sen. Jon Kyl (R-Ariz.) huddled with Sens. Barbara Mikulski (D-Md.), Chris Coons (D-Del.), Richard Blumenthal (D-Conn.), Lindsey Graham (R-S.C.), Roy Blunt (R-Mo.), Dan Coats (R-Ind.) and Sheldon Whitehouse (D-R.I.) in his office to discuss a path forward.

Sens. John McCain (R-Ariz.) and Kay Bailey Hutchison (R-Texas), lead sponsors of a competing cybersecurity measure, later joined the group.

Exiting Kyl’s office, McCain said senators were “making progress,” though he was quick to add that members were “still a long way” from reaching a deal.

The debate over legislation intended to boost the security of computer systems and networks of critical infrastructure — such as the electric grid, transportation networks and water systems — has been mired in partisan fighting this week.

Reid and Senate Democrats lashed out at the U.S. Chamber of Commerce, blaming the business lobby for keeping Republican senators from striking a deal on amendments.

Chamber officials and Senate Republicans argued Lieberman’s bill would give regulators too much power and said it should be revised to add more liability protections for businesses that share information about cyber threats with the government.

The collapse of the legislation would be a blow to the White House, which had lobbied hard for passage. The administration tried to instill a sense of urgency with a series of classified briefings where defense and intelligence officials described the threats to America’s infrastructure. In one session with lawmakers, they demonstrated how a hacker could wipe out New York City’s power systems with a single email.

Obama officials reiterated the gravity of the threat in a final push for the legislation on Wednesday.

U.S. Cyber Command head Gen. Keith Alexander said there’s been “over a 20-fold increase” in cyberattacks targeting the country’s critical infrastructure, with the severity growing over time.

“What we’re seeing is the evolution of these cyber events from exploitation to disruption,” the four-star general said.

John Brennan, Obama’s counterterrorism adviser, said it would be “incomprehensible” for senators to oppose the bill.

“We find it hard to believe that there is any reason or basis to oppose this legislation,” Brennan said, especially since Lieberman removed the voluntary mandates included in the original version.

The administration had initially hoped the legislation would include mandatory security standards for critical infrastructure companies. Those provisions were dropped from Lieberman’s bill, but the administration said it would still be better than the status quo.

If the bill fails to garner the 60 votes needed to end debate, it will be a particularly bitter defeat for Lieberman. The onetime vice presidential candidate and chairman of the Homeland Security and Government Affairs Committee is retiring at the end of this Congress and had hoped that successful passage of his cybersecurity bill would be the final chapter of his legacy in the Senate.

Lieberman expressed disappointment on Wednesday that Reid had to file for cloture, but acknowledged that he “did what he had to do in the national-security interest.”

In the remaining hours before Thursday’s expected vote, Lieberman said members would be working to come up with a “finite list” of amendments that both sides can agree on. But if those efforts fall through, he said senators would have to make the tough choice of whether to delay action despite the urgent warnings of security officials.

“We’re almost on the 1-yard line, and it would be such a shame, I believe, with things being that close, if we couldn’t close the deal,” said Whitehouse on the Senate floor.

But Sen. Susan Collins (R-Maine), one of the co-authors of the Cybersecurity Act, didn’t sound as optimistic.

The next steps for the bill are Thursday’s cloture vote, “or there could be a breakthrough, but I don’t see one right now,” she said.

The Cybersecurity Act is the product of nearly two years of work by working groups comprising Senate committees with jurisdiction on cybersecurity, such as Commerce, Homeland Security and Governmental Affairs and Intelligence. The original bill released in February would have mandated computer systems and networks of critical infrastructure to meet security standards developed, in part, by the Department of Homeland Security.

In a bid to win GOP support and dampen criticism from the Chamber, Lieberman watered down the critical-infrastructure provisions. The final version rewards critical-infrastructure operators with incentives, such as liability protections, if they meet voluntary security standards.

The House passed a series of cybersecurity-focused bills this spring, but did not require companies to close the security gaps in their computer systems. The anchor bill in the House was the Cyber Intelligence Sharing and Protection Act, which focused on improving the sharing of information about cyber threats between the government and industry.

The end of work in Congress on a cybersecurity bill could prompt a more hands-on approach to cybersecurity from the White House.

The administration could enact security mandates via an executive order, according to Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.

“The executive order option has been off the table because people were waiting to see what would happen with legislation,” Lewis said. “But the president could direct agencies to use their existing authorities to require cybersecurity standards. He could do that right now.”