WASHINGTON — Earlier this year, top national security officials held a classified briefing in the Capitol for about half the Senate, warning that the country’s crucial infrastructure was highly vulnerable to a major cyber attack and urging Congress to move swiftly to require new safeguards.
Gen. Keith Alexander, head of the National Security Agency, and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, were among those who pressed for a White House-backed cyber-security bill to regulate privately owned crucial infrastructure, such as electric utilities, chemical plants and water systems.
If the senators didn’t act, they argued, it would make it harder to stop hackers, criminals and hostile nations from wreaking unimaginable havoc, such as knocking out sections of New York City’s electrical grid for days during a summer heat wave.
But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.
Democrats overwhelmingly supported the legislation, but for Republicans, it meant a stark choice between competing constituencies: national security officials and business leaders. Even after the bill’s backers made the standards voluntary, the Chamber of Commerce, which spends more on lobbying than any other trade group, opposed it.
On Thursday, the Senate cyber-security bill failed to overcome a Republican-led filibuster. Analysts say the bill couldn’t breach a wall of anti-regulatory sentiment that proved resistant to the dire warnings.
The measure fell short of the 60-vote threshold needed to end debate, 52 to 46, with 40 Republicans joined by six Democrats voting in support of the filibuster.
“Rarely have I been so disappointed in the Senate’s failure to come to grips with a threat to our country,” said Sen. Susan Collins, the ranking Republican on the Senate Homeland Security Committee and one of the bill’s chief sponsors, who had tried in vain to sway her GOP colleagues. Just four sided with her.
Barring an unexpected compromise, the defeat makes it unlikely that Congress will pass a cyber-security bill this year. In April, the GOP-controlled House passed a bill that calls for companies and the government to share information about cyber attacks, but imposes no security standards. The White House opposes that bill over concerns about privacy issues.
The Senate bill included information-sharing provisions that had been negotiated with civil liberties groups. Intelligence officials said it would have improved detection of the near-daily barrage of cyber intrusions.
“The same forces that have kept Capitol Hill in gridlock on many important issues have also blocked effective cyber-security legislation,” James Lewis, an expert at the Center for Strategic and International Studies in Washington, wrote in an online commentary. Lewis frequently consults with the government and industry about cyber security.
The Senate bill — whose chief sponsors were the leaders of the Homeland Security Committee, Collins and Joe Lieberman (I-Conn.) — initially called for mandatory minimum security standards to shore up computer networks. Those standards, which were to be crafted in close concert with industry representatives, were intended to force companies that own life-sustaining equipment to install new protections. Some have been reluctant to spend money to improve security against what they see as a speculative threat.
But the Chamber of Commerce, which spent $66.4 million lobbying in Washington last year, according to the Center for Responsive Politics, strongly opposed mandatory standards. In recent weeks some Senate Republicans, including John McCain of Arizona, made it clear they would seek to block the bill.
To save it, proponents scaled it back. The version that came up for a vote called for a system of voluntary security standards, offering immunity from lawsuits to companies that participated.
Those changes weren’t enough to mollify the chamber and its Republican allies.
“The chamber believes [the bill] could actually impede U.S. cyber security by shifting businesses’ resources away from implementing robust and effective security measures and toward meeting government mandates,” Bruce Josten, the chamber’s chief lobbyist, wrote in a letter to senators Tuesday.
The opposition frustrated the nation’s top intelligence officials, who have been warning for years that cyber attacks — the most destructive of which could tamper with nuclear, chemical, water and electric plants — pose an increasing threat to national security.
“It’s incomprehensible why they are opposing it,” said John Brennan, the White House counter-terrorism advisor. “It’s not grounded in facts nor in national security concerns.”
Alexander, the head of the National Security Agency, the Pentagon’s eavesdropping and cyber-defense arm, said last week that it was only a matter of time before the U.S. was hit by a cyber attack that would damage key infrastructure. On a scale of 1 to 10, Alexander rated U.S. cyber defenses at a 3.
In June, four former senior security officials — all of them appointed by Republican President George W. Bush— sent a letter to Senate leaders calling for government-imposed performance standards for companies that operate important infrastructure. The letter was signed by former CIA Director Michael Hayden, former Homeland Security Secretary Michael Chertoff, former Director of National Intelligence Mike McConnell and former Assistant Defense Secretary Paul Wolfowitz. Hayden and Chertoff are advising GOP presidential candidate Mitt Romney on intelligence issues.
“We’re not talking about mom-and-pop stores here — we’re talking about nationally significant infrastructure,” said Chertoff, criticizing the business leaders who oppose the bill. “What they are not focused on is that a failure would not merely have a business impact, but it could cause a huge amount of collateral damage. Look at [this week’s power failures in] India. Half the country is shut down.”