House GOP: Carrots, not sticks, needed to bolster nation's cybersecurity

House Republicans expressed strong resistance Wednesday to any sweeping expansion of the government’s power to regulate private computer networks.

Unlike the comprehensive legislative proposals championed by the White House and Senate Democrats, the recommendations unveiled by the House Republican cybersecurity task force argue against imposing government security standards on private-sector firms. They call instead for a host of voluntary incentives to persuade firms to invest in liability protection, streamlined information security regulations and tax credits.

“If we can get 85 percent of attacks by good hygiene, we ought to encourage good hygiene,” said task force Chairman Mac Thornberry (R-Texas) at a press conference.


Thornberry and his colleagues said carefully targeted regulation might be justified in some cases, but the two parties largely disagree on the meaning of critical infrastructure. 

The Obama administration has indicated its cybersecurity standards would apply to a wide range of industries, including utilities, financial institutions, communications and Internet service providers. Firms would likely be compelled to comply through publications of security audits and compliance results rather than criminal or civil penalties. 

The GOP appears to favor a narrower definition that would include only industries that are already highly regulated, such as nuclear power, chemical plants and water treatment facilities. The Republicans argue Congress should consider additional cybersecurity directives targeted at the existing regulators of those sectors. For other industries, the task force prefers voluntary standards tied to incentives.

A leading cybersecurity expert gave the GOP's plan high marks.

"I think it is pragmatic and achievable. I was very impressed," said Alan Paller, director of research at the SANS Institute.

The task force’s recommendations have the seal of approval from Speaker John BoehnerJohn Andrew BoehnerDemocrats eager to fill power vacuum after Pelosi exit Stopping the next insurrection Biden, lawmakers mourn Harry Reid MORE (R-Ohio) and the House GOP leadership, which could set up a conflict with Democrats, especially since Thornberry said the GOP conference is opposed to handling such a complex issue via comprehensive legislation.

The two sides are also at odds over the need for a cybersecurity coordinator or czar within the White House.

“In some areas of our critical infrastructure, it is clear that the current market is not achieving the security gains we need to address current vulnerabilities and future threats,” said Rep. Jim Langevin (D-R.I.) in a statement. “This will require government involvement beyond incentives and voluntary minimum standards. It was also disappointing to not see any effort to strengthen the White House office for cybersecurity.”

The Republicans’ proposal was welcomed by members of the Senate Homeland Security Committee, including Chairman Joe Lieberman (I-Conn.) and Tom CarperThomas (Tom) Richard CarperBiden comments add momentum to spending bill's climate measures  Democrats hope to salvage Biden's agenda on Manchin's terms  Democrats call on Biden administration to ease entry to US for at-risk Afghans MORE (D-Del.), despite the fact the GOP plan departs significantly from their proposal to put the Department of Homeland Security in charge of enforcing the government’s cybersecurity standards. 

Thornberry repeatedly expressed confidence that legislation will pass Congress this year.

“We now have broad and bipartisan consensus on the nature of the threat, and on the steps we need to take to address it, both within the government and in the private sector,” Lieberman said. “As cyber crimes and attacks take an increasing toll on our privacy, economy and national security, there is simply no reason we can’t pass bipartisan legislation this year to address this urgent and growing threat.”

“While we might differ in our approaches in some areas, we agree in others,” Carper added.

The conciliatory tone indicates cybersecurity is still nascent enough as a political issue that members on both sides of the aisle would view the passage of any legislation as a political win.

Indeed, both sides appear to have reached common ground on liability protections for firms that share information on cyberattacks, as well as reform of FISMA, the law that governs how federal agencies must protect their networks. A number of groups expressed support for the task force’s recommendations, including TechAmerica and U.S.Telecom.

While some cybersecurity experts fear none of the proposals go far enough to ensure companies take adequate security measures, Thornberry vowed that Congress will revisit the issue in the near future.

“We’re looking for progress, not perfection,” he said. “It’s not a one-shot deal.”