Cybersecurity and the Need for Congressional Action
By Ben Yelin, CHHS Research Associate
The danger posed by cyber attacks is urgent and growing. Cyberattacks have breached the Pentagon and sent businesses into bankruptcy. Unless Congress takes decisive action, our nation will be vulnerable to a cyber attack that could damage critical infrastructure or our national security interests.
A recent incident highlighted our nation’s cybersecurity vulnerabilities and crystallized the need for comprehensive cybersecurity legislation. Earlier this month, the White House confirmed a report that government computers, including those containing sensitive data, were breached by Chinese hackers. The email, sent from a computer server in China, was a so-called “spear phish,” a message that is disguised to appear as valid, but in fact allows hackers to breach a system, and, in the case earlier this month, access potentially sensitive information. Cybersecurity expert Anup Ghosh notes that over the last two years, Chinese hackers have aggressively targeted American corporations for their intellectual property and government entities for national security information. “The cybersecurity industry is woefully behind the curve in terms of protecting the network from spear-phishing attacks against employees,” Ghosh said. “Today, training is the primary solution to this problem and training simply does not work.”
Congress earlier this summer considered a comprehensive cybersecurity measure. The bill, sponsored by Senator Joseph Lieberman (I-CT) and supported by President Obama, would boost the security of critical infrastructure networks – including electrical grids, transportation systems and water systems – in a number of ways, primarily by establishing a National Cybersecurity Council, under the auspices of the Department of Homeland Security. The Council would be tasked with identifying risk areas in critical infrastructure, and establishing procedures for private and public entities to report critical cybersecurity breaches. Finally, the Council would implement cyber response and restoration plans. Unlike an earlier version of the bill, businesses operating critical infrastructure would not be required to meet mandated government security standards, but rather, would be rewarded with incentives, such as protection from liability, if they meet voluntary security standards.
Like many bills these days in Congress, partisan politics stalled the cybersecurity measure. On August 2, the bill was successfully filibustered by the Senate just as that chamber reached its August recess. One of the main reasons the bill has stalled is because the U.S. Chamber of Commerce is flexing its lobbying muscles to kill it. The Chamber is opposed to voluntary security standards, saying “that once a government-driven ‘voluntary’ standards system is enacted, it’s only a short hop to a mandatory one because the administration has the intent and regulatory leverage.” Many Republican Senators, such as Roy Blunt (R-MO), admit they were swayed by the Chamber’s opposition, noting that they didn’t want to add any new burdens to businesses in the current economic climate. The Congressional Budget Office has not given cost estimates for the bill, either for the government or for the private sector.
That opposition to the bill fueled the inclusion of several poison pill amendments. Unlike members of the House of Representatives, Senators can propose any amendment to any bill, whether it is relevant to the bill under consideration or not. For example, Senator Mike Lee (R-UT) proposed an amendment outlawing abortion in the District of Columbia after 20 weeks. Senator Frank Lautenberg (D-NJ) sought to attach an amendment strengthening gun control. These divisive amendments tied up valuable time and were proposed specifically to obstruct and kill the original legislation.
In an effort to address some of the cybersecurity concerns, the White House has proposed an executive order to address the problem at government agencies. Ranking Senate Homeland Security Republican Susan Collins argues that the executive order would not protect businesses from potential lawsuits over information-sharing. Such protection is needed to encourage information-sharing among private entities. Also, as General Keith Alexander, director at the National Security Agency (NSA) and commander of U.S. Cyber Command, noted, an executive order “doesn’t give us the ability to work with the Internet service providers and allow that to benefit the rest of the critical infrastructure and the rest of government.”
The smallness of the politics that ground the Senate to a halt does not match the immense threat a lack of cybersecurity poses. When Congress returns for its lame duck session next month, comprehensive cybersecurity legislation should be a top priority.