Two different news organizations (TheHill.com
and RollCall.com) are
reporting that Sen. Reid (D,NV) is planning on bringing cybersecurity
legislation back to the floor of the Senate when the body returns for their
lame-duck session after the election. As I
noted in August, Reid can call for reconsideration of the cloture vote on
the bill at any time that he feels that he has the votes.
Legislation vs Executive Order
Both articles tie the Reed statement to the recent speech by
the Secretary of Defense warning of a cyber Pearl Harbor attack. That statement
follows recent news reports that the Administration was consulting with
Congress and the business community on possible provisions for an executive
order on cybersecurity for critical infrastructure. It seems likely that all of
these events are tied together in a plan to provide the government the authority
to regulate cybersecurity.
The politics of cybersecurity legislation are complicated.
First, the regulatory authority that the Administration claims is necessary to
protect this country against cyber-attacks by nation-states, terrorists, or
even criminal organizations can only be provided by legislation. An executive
order would provide only limited authority to expand regulations in only a few
industrial sectors; other sector regulations would have to be based upon voluntary
compliance.
Election Calculus
Cybersecurity legislation is clearly not a presidential
election issue; neither side has made any attempt to make significant political
capital taking a stand on the issue. President Obama is hardly likely to
publish an executive order before the election for fear of offending some of
his ‘civil liberties’ supporters who object to information sharing provisions supported
by the Administration.
The Administration has a slim majority of support in the
Senate for S 3414, but not enough as currently crafted to be able to get past a
cloture vote. An agreement on allowing votes on some key amendments may change
enough votes may provide a 60 vote margin to bring the bill to a vote; a vote
that would probably lead to passage of the bill in the Senate. Passage of the
bill in the House, as currently written, is almost impossible; the House
cybersecurity legislation religiously avoids regulating industry beyond
enabling some limited information sharing provisions that require nothing of
industry.
The election next month may change the calculus in both
bodies of Congress. If Democrats get closer to a supermajority (a clear
supermajority does not currently seem to be a possibility) in the Senate,
current opposition to S 3414 may be reduced by some departing members wishing
to have at least some influence on cybersecurity legislation. If the
Republicans, on the other hand gain seats (especially if they break the 50 vote
barrier) in the election, the Democrats will have to surrender a lot of their
desires to get S 3414 passed. The agreement would have to be for more than just
votes on amendments; some of the mandatory provisions would have to be changed
to voluntary. Which provisions would have to be changed would depend on the
number of new Republicans reporting in January and which Democrats won’t
return.
The House is much more complicated. Just about the only
thing that will cause a wholesale change in the approach of the Republican
leadership is if they lose control of the House in the election. Any other
election outcome ensures that the current leadership will at the very least
have a veto power over any cybersecurity legislation that heads towards the
President. Any lame-duck Senate bill will have to take this into account.
Executive Order
Any effective executive order by President Obama will have
to be proceeded by an election win. A President Romney would simply sign an
executive order vacating one issued by Obama long before any effective action
could be taken under such an order.
An Obama win would still not ensure that an executive order
would have much of an effect on cybersecurity. To be effective the administration
has to write regulations that have to go through the publish and comment
process. This Administration has a poor record of writing regulations,
particularly in the homeland security realm. A two-year old executive order
harmonizing controlled unclassified information (CUI; Executive
Order 13556) has yet to produce any regulations changing the
handling of such information. That regulation would only really affect
executive branch politics, not business operations; that should make it an easier
sell politically.
The Administration would also have to take into
consideration that any regulations that have a substantial effect on business
operations would certainly face litigation on the grounds of overstepping
federal authority. Even just increasing cybersecurity controls over already
regulated industries would certainly face such law suits. Extending such
regulations to currently unregulated industries would be a non-starter just
because of the threat of law suits. It has been made clear that even
information sharing rules are likely to be opposed on privacy and free speech grounds.
Way Forward
There is a possibility that the Obama Administration could
craft, with the help of the Republican leadership in the House a minimalist
cybersecurity bill modeled on the House passed HR 2096. The House might acquiesce
to limited cybersecurity regulations on the electric industry; the one industry
that almost everyone has been mentioning as being at risk (shows how ‘everyone’s’
imagination is so limited). If they can get the House Republicans onboard, then
they can probably convince the Senate.
One thing that all of the politicians have just about missed
in their discussions is that there is a significant difference between IT and
ICS cybersecurity. Any bill that really tries to address critical
infrastructure cybersecurity must clearly differentiate between the two and
write specific requirements for both types of security programs.
Posts
No comments:
Post a Comment