Cyber-security measure fails to pass in Senate
WASHINGTON -- Despite warnings from intelligence officials that the U.S. is ill-prepared to stop a growing wave of cyber attacks against its crucial national infrastructure, the Senate on Thursday failed to pass a watered-down bill that would have set voluntary standards to harden the network defenses of electric utilities, chemical plants and other privately owned facilities.
Most Republicans and a few Democrats voted to block the measure even after its sponsors agreed to scale back its regulatory mandates. The U.S. Chamber of Commerce and other business groups continued to oppose it, and in a mostly party-line vote,the legislation failed to reach the 60-vote threshold needed to end debate. Fifty-two senators voted to end debate, and 46 voted against it.
“Rarely have I been so disappointed in the Senate’s failure to come to grips with a threat to our country,” said Sen. Susan Collins (R-Maine), the ranking member on the Homeland Security and Governmental Affairs Committee and one of the bill’s chief sponsors.
Barring an unexpected compromise, the defeat makes it less likely that Congress will pass a cyber-security bill this year. In April, the GOP-controlled House passed a bill the White House opposes that calls for information sharing about cyber attacks between companies and the government, but no security standards. The Senate bill also included information-sharing provisions, which intelligence officials say would have allowed them to better detect incoming cyber attacks.
Analysts say the Senate measure ran into a wall of anti-regulatory sentiment among Republicans that has proved resistant even to dire warnings from top security officials that the nation’s crucial infrastructure is woefully under-defended against the cyber threat. The voluntary standards were condemned by Republicans as too much government interference in the free market.
“No sane person has ever said that the private sector can carry the burden of national security,” said James Lewis of the Center for Strategic and International Studies, who frequently advises the government on cyber issues. “The fate of the cyber-security bills is a part of a larger and damaging political debate on the role of government.”
The Senate bill -- whose earliest sponsors were the leaders of the homeland security panel, Joseph Lieberman (I-Conn.) and Collins -- initially called for mandatory minimum security standards to shore up computer networks, to be crafted in close concert with industry representatives.
Those standards were designed to spur private companies that own life-sustaining equipment, including electric utilities and water systems, to improve security. Many have not been prepared to do that, arguing that the threats are speculative.
But the Chamber of Commerce, a major lobbying force in Washington, strongly opposed mandatory standards. In recent weeks, a group of Senate Republicans, including John McCain of Arizona, made it clear they would block the bill. In an effort to save it, proponents scaled it back. The version that came up for a vote called for a system of voluntary security standards and offered protection from lawsuits to companies that participate.
Those changes weren’t enough to mollify the chamber and its Republican allies.
“The Chamber believes [the bill] could actually impede U.S. cyber security by shifting businesses’ resources away from implementing robust and effective security measures and toward meeting government mandates,” Bruce Josten, the chamber’s chief lobbyist, wrote in a letter to senators Tuesday.
“It’s incomprehensible why they are opposing it,” John Brennan, the White House counter-terrorism advisor, told reporters Wednesday. “It’s not grounded in facts nor in national security concerns.”
The opposition frustrated intelligence officials, who have been warning for years that cyber attacks -- the most destructive of which could tamper with nuclear, chemical, water and electric plants -- pose an increasing threat to national security.
Army Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command, said last week that it was only a matter of time before the United States is hit by a cyber attack that damages key infrastructure. He cited a June report that the number of cyber incidents reported to the Department of Homeland Security by companies that own vital equipment rose 22-fold, from nine in 2009 to 198 in 2011.
On a scale of 1 to 10, Alexander rated U.S. cyber defenses at a 3.
In June, four former senior security officials, all of them Republican appointees, signed a letter to Senate leaders calling for government-imposed performance standards for companies that operate important infrastructure. The letter was signed by former CIA Director Michael Hayden, former homeland security director Michael Chertoff, former director of national intelligence Mike McConnell and former assistant Defense secretary Paul Wolfowitz. Hayden and Chertoff are advising GOP presidential candidate Mitt Romney on intelligence issues.
“We’re not talking about mom-and-pop stores here -- we’re talking about nationally significant infrastructure,” Chertoff said in an interview. “What [opponents] are not focused on is that a failure would not merely have a business impact, but it could cause a huge amount of collateral damage. Look at [the recent power failure in] India. Half the country is shut down.”
The cyber bill also faced skepticism from some privacy activists, although several major activist organizations, such as the American Civil Liberties Union and the Center for Democracy and Technology, were satisfied with the latest version of the legislation.
At issue are provisions that would allow companies to share customer information with the government, and would allow the government to share classified cyber-threat information with companies. Alexander said such sharing would help the government stop attacks, instead of watch them happen.
The ACLU and other activists won changes to ensure that the shared information be “reasonably necessary” to describe a cyber-security threat and that it could only be used for cyber-security purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats.
Even if the Senate bill had passed, it would have left the U.S. vulnerable, according to Lewis and other experts. Many of them believe that it will take a destructive cyber attack to spur the country into meaningful action.
“I believe something like [9/11] will have to happen in the cyber world before people truly get it,” former FBI cyber official Shawn Henry told the Black Hat hackers convention in Las Vegas last week.