Despite the efforts of the administration and a slew of well-respected bipartisan officials including JCS Chairman Martin Dempsey, NSA director Keith Alexander, former DNI Mike McConnell, and former DHS secretary Michael Chertoff, the Senate failed yesterday to pass S. 3414, the Cybersecurity Act of 2012 by a vote of 51 – 47. The bill, introduced by Senate Homeland Security and Governmental Affairs Committee chairman Joe Lieberman (I-CT) and ranking member Susan Collins (R-ME), and co-sponsored by Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) would have raised requirements on private-sector owners of national critical infrastructure including power grids, financial institutions, and nuclear facilities to heighten protection from technological attacks.
The defeat of the bill is a prime example of partisan gridlock undermining the larger national security interest. Concerns that the bill placed an undue regulatory burden on industry to support cybersecurity were reflected in a competing bill proposed by Senator John McCain and other Republicans this past spring. But the eventual outcome was a failure on both sides of the aisle to see eye-to-eye, evidenced in demonstrations of partisan gamesmanship blaming each other (and the Chamber of Commerce) for the impeding demise of cybersecurity legislation.
The moral of the story is that all the knowledgeable players in government tasked with the nation’s cyber defense threw their weight behind the bill, yet the end goal remains unattained. There is speculation that the White House may bolster the cybersecurity effort through an executive order, in advance of the next legislative pass at the issue, which will be in next year’s session, speculatively. Presidential Policy Directive 20, penned in October to guide the cybersecurity operations of federal agencies, should not set a precedent for executive order taking the place of legislative action to address our collective cyber defense. The President is wise to fill that gap through an authoritative directive for now, but the enduring support – and funding – of Congress is needed to address this increasingly important challenge.
The recent destruction of Hurricane Sandy should make Americans, and their elected leaders, more sensitive to the disruption caused by the loss of critical infrastructure. Though Secretary Panetta’s warning of a “cyber Pearl Harbor” is hyperbolic in that a large-scale cyberattack is unlikely to directly cause mass casualties, the economic and political effects would be widespread. Seemingly harmless intrusions like a temporary denial-of-service can have compounding economic effects.
Any legislative failure to address a national vulnerability as widely cited as cyberattacks on critical infrastructure is a shortcoming in serving constituencies properly. Congress should take a hard look at itself before this issue arises in next year’s session and heed the warnings of national security leaders by placing consensus on cybersecurity near the top of their list of priorities.