In early August the Senate failed to act on a sensible, bipartisan proposal to improve the nation’s cybersecurity. With the recess days away, and with a heated election set to dominate the final months of the 112th Congress, “A Bill to Enhance the Security and Resiliency of the Cyber and Communications Infrastructure of the United States” (S.3414) may never again see the light of the Senate chamber. We cannot afford to let months pass while our power, water, and communications infrastructures are inconsistently protected from those who would do Americans harm; the nature and extent of the threat to our nation’s security continues to necessitate some immediate legislative action. Although the bill, co-sponsored by Joe Lieberman and Susan Collins, did not generate congressional consensus, it provides the Obama administration with a strong framework it can leverage to develop an executive order. The issuance of such an order would be sure to draw sharp criticism, but the framework for federal agencies provided by the Lieberman/Collins bill would be an effective (if only temporary) response to our nation’s most pressing national security threat.
The legislation’s detractors have aligned in two opposing camps of criticism. Some argue that the bill is an extreme manifestation of regulatory overreach – subjecting vast industries to government-mandated standards for securing their private networks. Others have decried the most recent iteration of the bill as toothless and impotent, incapable of encouraging actual change in the industries providing our nation’s critical infrastructure. While these arguments may resonate among ideologues, their myopic prioritization of election-year party politics over national security, and their consequent substantive shortcomings have yielded what Senator Lieberman described as a “colossal abdication of duty” on the Congress’s part.
First, claims of “regulatory overreach” are thrown around on the Hill so often as to render them virtually meaningless; in this instance, the claim is particularly absurd. The final iteration of the bill set standards for security with an entirely voluntary public-private partnership. In exchange for agreeing to comply with a set of standards, private entities that control portions of our nation’s critical infrastructure would be granted a series of benefits including the ability to help shape those very standards. Other benefits and incentives included access to shared information from intelligence and defense agencies, priority assistance from government cyber-incident experts, expedited security clearances for appropriate employees, and protection from legal liability in the event of an attack. Any proof of compliance with these standards would be voluntary as well – except in the instance of an attack, after which a provider would have to demonstrate their eligibility for legal protection. All of this coordination and information sharing would be centralized in the Department of Homeland Security, with support from all other relevant civilian and military agencies, who would together form the new National Cybersecurity Council. This set of incentives was created to draw in businesses, to get them engaged in sharing information and building better practices. But nothing was mandatory – so how could it be “regulatory overreach?”
The most absurd aspect of this argument is that some of its advocates have actually proposed more stringent regulation in the past. Senate Republicans’ SECURE IT bill, or the House’s CISPA, would hand control of cybersecurity information sharing and monitoring over to the NSA. How can one possibly argue that having a military agency renowned for its lack of transparency and minimal civilian oversight not qualify as regulatory overreach, while a voluntary, cooperative network overseen by a civilian agency does?
The opposite critique is that such a voluntary structure provides little assurance that water, power, communications, and other critical infrastructure-providing industries will comply with baseline standards. The incentives mentioned above are substantial – and companies that take advantage of them will find that the dollars and cents benefits will not be far behind. How many companies are breached on a regular basis? How many would welcome help from the highly capable members of the US electronic defense complex? How many would welcome the raw intelligence to be able to counteract threats before they are compromised? And how many major companies will be willing to expose themselves to liability for allowing thousands or hundreds of thousands of American citizens to be put at risk while their competitors shield themselves with better information, better technology, and legal protection? Further, the argument that S.3414’s voluntary structures provide insufficient compliance incentive is undermined by its proponents’ past support for proposals with inferior incentive structures. CISPA and SECURE IT offer critical infrastructure providers unlimited liability protection, but they do so without mandating compliance with certain baseline standards – essentially eliminating any reason these providers might have to improve their cybersecurity practices. We may not be able to stop every threat, but the incentives created by the Lieberman/Collins bill would ensure that our best minds will be at work, cooperatively, to prevent grave risks to Americans.
So what now? With the Lieberman/Collins bill stalled, and little progress likely to be made – how much time can we as a nation allow ourselves to be vulnerable? In the days before the bill’s failure, a Senate colleague remarked that, “this is a bill designed to last twenty years,” so getting the framework right is important. But it would only take twenty minutes, maybe twenty seconds, for something to go truly wrong. Do we fail to plug the hole in the ship’s hull because we don’t have a permanent fix? Our critical infrastructure is indeed a leaky ship, but Lieberman/Collins was the answer we needed to plug the holes. An executive order to create the authority and information sharing framed by that bill will protect our nation for the coming months until Congress hammers out a deal for the next twenty years.