Cybersecurity too crucial to leave to politicos? It's looking that way
With an election looming, parochial partisan politics trumped national security -- shocker, I know -- leaving cybersecurity policy firmly in midair.
Even for a Congress whose antics faintly remind one of the last days of the Weimer Republic, this was a bit much.
The United States Senate last week was unable to bring up the Cybersecurity Act of 2012 (PDF) for a final vote because of -- shocker -- party politics.
Had it passed into law, the bill would have made sure that operators of critical infrastructure -- stuff like nuclear plants and water treatment facilities -- satisfied certain minimum cybersecurity standards, an idea championed by heavy hitters in the defense, national security, and intelligence circles. Not this time, though, as its supporters fell 8 votes short of the 60 needed to overcome a Republican filibuster. And now Congress has left for its summer recess.
Sen. John McCain (R-Ariz.), who led the opposition, complained that the legislation would have shackled businesses with unnecessary new burdens. Matt Kibbe, a Tea Party fave and head of the conservative group FreedomWorks slammed the bill as "deeply flawed' and said it would stifle innovation on the Internet. The U.S. Chamber of Commerce denounced the idea as a hastily conceived piece of legislation chockablock with regulations that went too far. Senate GOP leader Mitch McConnell later explained that Republicans had decided to filibuster out of a desire to make the legislation better and instead blamed Harry Reid for seeking "to jam something through without any chance for amendment." The Wall Street Journal's editorial board advanced a similar meme, lecturing the Democrats, silly boys, for bringing to the floor a bill that the paper said was unpalatable.
Let's give them the benefit of the doubt, election year politics notwithstanding. But this was no bolt from the blue.
The legislative horse-trading has been going on for months. In fact, earlier compromises agreed to by the bill's sponsors had watered down the original language to make it more acceptable to the myriad affected constituencies, and the latest version made voluntary a mandate to set security standards for computer networks running the nation's critical infrastructure. It also tweaked certain provisions in the bill to allay concerns expressed by the civil liberties crowd (both the Center for Democracy & Technology and the ACLU are now on board).
Did the bill still have warts? Some thought so, and reasonable people can disagree reasonably about that. Then again, reasonableness is on hold until Nov. 5, so the question now is how long ought the country to wait for perfect?
"Amendments can be brought on," Robert Rodriguez, chairman and managing principal of the Security Innovation Network, said after the vote. "It's time to place a stake in the ground, to own it and lead it. But this is standard Washington, D.C., politics. We have an election, and some of these politicians, frankly, have to stop putting a finger in the air and trying to guess which way the wind is blowing. It's time to think of the American shareholder and do what's best for the country."
That sense of disappointment permeates the defense, national security, and intelligence circles, where the heavy hitters, including the NSA's head general, Keith Alexander, and the chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, had urged the bill's passage. And at a recent gathering, the Aspen Institute's Homeland Security Group -- more than half of whom were Bush administration appointees -- also threw their support behind the proposal. "The country is already being hurt by foreign cyberintrusions, and the possibility of a devastating cyberattack is real," the group said in a statement. "Congress must act now."
Despite the setback, the battle may not be over. On Monday President Obama was reported to be considering issuing an executive order.
Also, Leslie Phillips, communications director for the Senate Homeland Security and Governmental Affairs Committee, told my CNET colleague Elinor Mills that one of the bill's co-sponsors, Sen. Joe Lieberman (I-Conn.) remains open to raising the issue again in September. Phillips also said Lieberman is willing to sit down with Republicans to hash things out. However, she said that Republicans need to provide specific language for any amendments they want, rather than a list with 15 placeholders they submitted last week.
"GOP opponents insisted that security standards weren't really voluntary or what was now voluntary would soon become mandatory," she said. "We're happy to have open debate and entertain any amendment that is relevant and germane. There were gun amendments and abortion amendments and a lot of others, 218 amendments in all," she said.
That has little to do with how to improve cybersecurity or defend in case of a cyberwar. (See The Atlantic for a good overview of what a real cyberwar might look like.) But we don't even need to go to the extreme scenario of critical infrastructure getting knocked offline. We're right now suffering through one of greatest transfers of wealth in the history of mankind owing to the theft of intellectual property, and why nobody's talking about that on the national stage remains a mystery. "La guerre! C'est une chose trop grave pour la confier des militaires," said former French Prime Minister Georges Clemenceau. The loose translation: War is too serious a matter to entrust to military men. At the rate we're going, cybersecurity is proving too serious a matter to entrust to the political pygmies in Washington.