Sunday, October 14, 2012

S 3414 May Still Be Alive - Cybersecurity

Two different news organizations ( and are reporting that Sen. Reid (D,NV) is planning on bringing cybersecurity legislation back to the floor of the Senate when the body returns for their lame-duck session after the election. As I noted in August, Reid can call for reconsideration of the cloture vote on the bill at any time that he feels that he has the votes.

Legislation vs Executive Order

Both articles tie the Reed statement to the recent speech by the Secretary of Defense warning of a cyber Pearl Harbor attack. That statement follows recent news reports that the Administration was consulting with Congress and the business community on possible provisions for an executive order on cybersecurity for critical infrastructure. It seems likely that all of these events are tied together in a plan to provide the government the authority to regulate cybersecurity.

The politics of cybersecurity legislation are complicated. First, the regulatory authority that the Administration claims is necessary to protect this country against cyber-attacks by nation-states, terrorists, or even criminal organizations can only be provided by legislation. An executive order would provide only limited authority to expand regulations in only a few industrial sectors; other sector regulations would have to be based upon voluntary compliance.

Election Calculus

Cybersecurity legislation is clearly not a presidential election issue; neither side has made any attempt to make significant political capital taking a stand on the issue. President Obama is hardly likely to publish an executive order before the election for fear of offending some of his ‘civil liberties’ supporters who object to information sharing provisions supported by the Administration.

The Administration has a slim majority of support in the Senate for S 3414, but not enough as currently crafted to be able to get past a cloture vote. An agreement on allowing votes on some key amendments may change enough votes may provide a 60 vote margin to bring the bill to a vote; a vote that would probably lead to passage of the bill in the Senate. Passage of the bill in the House, as currently written, is almost impossible; the House cybersecurity legislation religiously avoids regulating industry beyond enabling some limited information sharing provisions that require nothing of industry.

The election next month may change the calculus in both bodies of Congress. If Democrats get closer to a supermajority (a clear supermajority does not currently seem to be a possibility) in the Senate, current opposition to S 3414 may be reduced by some departing members wishing to have at least some influence on cybersecurity legislation. If the Republicans, on the other hand gain seats (especially if they break the 50 vote barrier) in the election, the Democrats will have to surrender a lot of their desires to get S 3414 passed. The agreement would have to be for more than just votes on amendments; some of the mandatory provisions would have to be changed to voluntary. Which provisions would have to be changed would depend on the number of new Republicans reporting in January and which Democrats won’t return.

The House is much more complicated. Just about the only thing that will cause a wholesale change in the approach of the Republican leadership is if they lose control of the House in the election. Any other election outcome ensures that the current leadership will at the very least have a veto power over any cybersecurity legislation that heads towards the President. Any lame-duck Senate bill will have to take this into account.

Executive Order

Any effective executive order by President Obama will have to be proceeded by an election win. A President Romney would simply sign an executive order vacating one issued by Obama long before any effective action could be taken under such an order.

An Obama win would still not ensure that an executive order would have much of an effect on cybersecurity. To be effective the administration has to write regulations that have to go through the publish and comment process. This Administration has a poor record of writing regulations, particularly in the homeland security realm. A two-year old executive order harmonizing controlled unclassified information (CUI;  Executive Order 13556) has yet to produce any regulations changing the handling of such information. That regulation would only really affect executive branch politics, not business operations; that should make it an easier sell politically.

The Administration would also have to take into consideration that any regulations that have a substantial effect on business operations would certainly face litigation on the grounds of overstepping federal authority. Even just increasing cybersecurity controls over already regulated industries would certainly face such law suits. Extending such regulations to currently unregulated industries would be a non-starter just because of the threat of law suits. It has been made clear that even information sharing rules are likely to be opposed on privacy and free speech grounds.

Way Forward

There is a possibility that the Obama Administration could craft, with the help of the Republican leadership in the House a minimalist cybersecurity bill modeled on the House passed HR 2096. The House might acquiesce to limited cybersecurity regulations on the electric industry; the one industry that almost everyone has been mentioning as being at risk (shows how ‘everyone’s’ imagination is so limited). If they can get the House Republicans onboard, then they can probably convince the Senate.

One thing that all of the politicians have just about missed in their discussions is that there is a significant difference between IT and ICS cybersecurity. Any bill that really tries to address critical infrastructure cybersecurity must clearly differentiate between the two and write specific requirements for both types of security programs.

No comments:

/* Use this with templates/template-twocol.html */