Cybersecurity Legislation Is Dead in Congress
Time of death: 6:11p.m. After a second failed cloture vote on the Cybersecurity Act of 2012 sponsored by Senators Joe Lieberman, ID-Conn., and Susan Collins, R-Maine, Senate Majority Leader Harry Reid declared, “Cybersecurity is dead for this Congress.” Despite interest from both sides of the aisle to address the issue of cybersecurity, there simply was not enough bipartisan support for the Cybersecurity Act to secure the 60 votes needed to clear the cloture hurdle.
Clearly, cybersecurity will be an important issue for the next Congress. Though the House of Representatives passed a package of cybersecurity bills last April with bipartisan support, the conclusion of the 112th Congress in a matter of weeks means that the 113th Congress will have to start anew when it convenes in January. With Senator Lieberman’s retirement at the end of this session -- a Senator who personally championed cybersecurity legislation during the last few years -- there certainly will be changes in the Senate’s approach to cyber work next year.
Going forward, ITI and our member companies will continue to engage with Senators, Representatives, and their staffs as we work to shape an enhanced cybersecurity structure for the United States that will best protect individuals, businesses, and governments.
In the U.S., 85 percent of critical infrastructure is owned and operated by private industry. Congress can pass legislation to help operators better understand and address cybersecurity threats without relying on a heavy-handed, regulatory approach. Such regulation could create siloed, bureaucratic structures, putting cyber defenses at a disadvantage because the entities charged with security would have limited coordination and be stymied.
Moreover, cyber intrusions and other incidents in today’s environment often come from multiple points and, while they are IT-based, they can combine technical tactics with social engineering or even physical access to a facility. Security teams cannot rely on regulators to accurately interpret and respond to multi-modal intrusions. They need to be able to identify a threat and counter it quickly – not after dealing with government bureaucracy.
As a result, we believe the heart of any updated approach should include a smart, strong information sharing system that is adaptable to meet constantly changing dangers. While the Administration can take steps on its own to improve the quality of actionable information that the U.S. government shares with industry, important aspects of information sharing related to liability protection can only be addressed through legislation.
The tech sector’s core cybersecurity principles (also reflected internationally by ITI, DIGITALEUROPE, and the Japan Electronics and Information Technology Industries Association (JEITA) in international cyber principles) focus on key issues of collaboration, interoperability, and proactive protections that focus on building awareness and sharing information.
We believe that efforts to improve cybersecurity must:
- Leverage public-private partnerships and build upon existing initiatives and resource commitments;
- Be able to adapt rapidly to emerging threats, technologies, and business;
- Properly reflect the borderless, interconnected, and global nature of today’s cyber environment;
- Be based on risk management;
- Focus on awareness; and
- More directly focus on bad actors and their threats.
We will continue to work collaboratively with Congress on cybersecurity legislation with the hope of eventual passage of a bipartisan law that effectively strengthens our nation’s cybersecurity posture.