The chances of Congress passing a cybersecurity bill before the presidential campaign drowns everything else out are dimming, but a couple of senators are giving it a try anyway.
Sens. Sheldon Whitehouse (D-R.I.) and Jon Kyl (R-Ariz.) are circulating a draft bill that they hope will settle one of the major debates over competing legislative proposals: How heavy the hand of government should be in regulating industries that operate critical infrastructure. They are proposing incentives instead of mandates.
How much it matters if they succeed is another question. Senate Majority Leader Harry Reid took to the Senate floor Tuesday to say it matters very much. He cited a letter (PDF document) from a bipartisan group of former national security officials from both the Bush and Obama administrations, who wrote that the nation is at risk of being unprepared for, "'cyber 9/11,' (and) it is not a question of whether this will happen; it is a question of 'when.'"
The group includes Michael Chertoff, former secretary of Homeland Security; Paul Wolfowitz, former deputy secretary of defense; Mike McConnell, former Navy vice admiral and director of the National Security Agency; General Michael Hayden; Retired General James Cartwright; and William Lynn III, another former secretary of defense.
In the letter, the group called the threat of a cyber attack "imminent." And they said it "represents the most serious challenge to our national security since the onset of the nuclear age 60 years ago."
Reid attacked Republicans for blocking a pending cybersecurity bill now in the Senate, backed by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), accusing them of not taking the threat of cyberattack seriously and failing to present any credible alternatives, and said he wants to pass a bill before the current Senate session expires at the end of the month.
But Joel Harding, a retired military intelligence officer and now information operations consultant expert and consultant, while he supports legislative action, said, "We cannot create this legislation quickly enough -- we needed it a decade ago. "
And even if something does pass, Harding said on the day it is signed into law that "it will be obsolete unless there is a new understanding, that legislation will consistently need to be updated to reflect rapidly changing technology and techniques."
Rainey Reitman, activism director for the Electronic Frontier Foundation, agrees with Harding.
EFF has objected strenuously to what it says is a lack of privacy protections in most of the pending proposals, and Reitman said she couldn't comment specifically on the Kyl-Whitehouse proposal, "because we haven't seen it."
"However, anytime the federal government is given the power to regulate technology, it creates the possibility that technology will outpace the government's ability to keep up," she said. "They have made efforts in the bill to address that concern, but it could be years before we really know whether they were successful."
Congress, of course, rarely operates quickly or proactively. The Hill reported last week on the Kyl-Whitehouse proposal -- another bipartisan effort, at least based on its sponsorship.
But the House already passed a bill April 26 -- the Cyber Intelligence Sharing and Protection Act (CISPA) -- that has been attacked for not having enough individual privacy protections, and President Obama has threatened to veto it. In the Senate, the Lieberman-Collins bill, called the Cybersecurity Act of 2012 (CSA), is stalled due to opposition from most Republicans because it gives the Department of Homeland Security (DHS) the power to mandate security standards for critical infrastructure systems.
Sen. John McCain (R-Ariz.) in particular has criticized the Lieberman-Collins bill, saying it would impose unnecessary burdens on businesses. And House GOP leaders have indicated they will not even allow a vote on any legislation that creates new mandates for cybersecurity.
The Kyl-Whitehouse proposal attempts to satisfy the mandate objection, by replacing the "stick" approach with a "carrot." Instead of mandates, it proposes a package of incentives to companies that comply with government security standards -- liability protections, preferential treatment in securing government funding and technical cybersecurity assistance.
But Reid, when he spoke on the Senate floor, was talking about the Lieberman-Collins bill, which he called "an excellent piece of legislation," and said he intended to move it to the floor before the end of the session.
And Lieberman, while he has called the Kyl-Whitehouse proposal "encouraging," hasn't signed on to it. Lieberman spokeswoman Leslie Phillips said it is too early to talk about the Kyl-Whitehouse proposal, since it is still in the form of a six-page draft. "It is still vague and there are still a lot of questions about it," Phillips said.
But she said Lieberman is still hopeful that "something will happen by the deadline."
Joel Harding said the reality is that since meeting government standards requires disclosure, "there may never be enough incentives to convince a company to disclose information that may harm their reputation, costing them current and possibly future business."
But he said: "[There] must be a certain amount of mandates, regulations, laws, call them what you want, to force companies to share their data with the government. Otherwise the government will not have the total picture and perhaps won't have the ability to stop or even prevent current and future problems."
Rainey Reitman said EFF remains "deeply concerned with the civil liberties implications."
"These issues need real solutions or we'll end up with information sharing provisions equivalent to the dangerous provisions in CISPA," she said. "I don't see how ameliorating the concerns of companies around critical infrastructure will address our worries about the privacy rights of Internet users."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.