The Cybersecurity Act of 2012 failed to clear a procedural hurdle to get a full vote. Business fuels death of cyber bill

Over the last three years savvy business interests managed to water down a bill to beef up America's cybersecurity – and then Thursday it drowned.

Key industries played one chamber against the other and one party against the other, knowing precisely where to toss their monkey wrenches.


What they did not do: race to self-regulate to appease Congress the way industries in the crosshairs usually do — a sign that they believed they'd win in the end.

The Cybersecurity Act of 2012, the tougher of the two main bills in the Senate, failed to clear a procedural hurdle Thursday to get a full vote — despite widespread predictions of crippling cyberattacks.

“You’d think they’d step up, but they think they can avoid it, so they want to push it off,” Senate Homeland Security Committee Chairman Joe Lieberman (I-Conn.), a lead sponsor, told POLITICO recently.

Lieberman added that the tactic is “dangerous” because the cyberthreat is real. “They’re trying to make this into a business versus government regulation issue, which it’s not,” he said. “It’s a question of the safety and security of the American people.”

A powerful coalition of industries — energy, financial services, technology and others — saw trouble brewing in the Senate, where a tough bill would have forced new digital standards at power plants, water systems and other key sites. So they turned to the House, where a friendly Republican majority passed a bill with voluntary new rules. Eventually the Senate followed suit with voluntary rules of its own. But then the Chamber of Commerce swooped in and said even the voluntary standards were too heavy-handed.

By the time the bill came to a procedural vote Thursday, there was no chance that it would pick up the 60 votes it needed — even in the weaker form.

Most Senate Republicans preferred an alternative bill, the SECURE IT Act, which sought to improve information-sharing about cyberthreats between government and business instead of rules for privately run infrastructure. After the vote Thursday, Senate Minority Leader Mitch McConnell blasted Democrats for nixing their bill. "This bill will be back, because it must be back," McConnell said at a press conference. "So the vote is not the end of the discussion, but the beginning of the discussion."

No player in this debate disputes that the nation is vulnerable to cyberattacks or that private industry hasn’t done enough to secure itself. Historically, that general agreement would have led industries to conjure up their own solutions to avert congressional meddling — either out of a good-faith effort or just to put on a public relations show. The movie industry did it with the ratings board, the recording and video game business created voluntary warning labels and even Big Oil takes steps to appear concerned about mitigating its environmental impact.

On cyberlegislation, though, silence. Neither the power companies, nor the software makers, nor the transportation sector has bothered to so much as announce any industry-wide initiatives aimed at beefing up online security. They didn’t have to.

The closest the business community got to backing a national cybersecurity solution was getting buy-in from everyone from Facebook to Lockheed Martin to Edison Electric to back the House Republican cybersecurity bill known as CISPA, despite an Obama veto threat. The White House and privacy advocates objected to CISPA, which passed the House in April, because the bill lacked protections for sharing of personal information between government and industry.

The Chamber points to its support of CISPA to show it wasn’t simply gumming up the works. But as the amendment process rolled on this week, the business group went all-in against salvaging the Cybersecurity Act by warning members of Congress in a stern letter that they would score support of it against them.

On Thursday, the group took a victory lap. “While we thank the co-sponsors for their efforts on the issue of cybersecurity, the legislation voted down today would have given the federal government too much control over what actions the business community could take to protect its computers and networks,” said Ann Beauchesne, the Chamber’s vice president of National Security and Emergency Preparedness in a statement.

“The Chamber will continue to support SECURE IT and CISPA,” she continued, “and will work with Senators from both sides of the aisle to develop a final bill that addresses the nation's cybersecurity deficiencies, not through a new onerous regulatory framework, but through strong public-private partnerships.”

What perplexed lawmakers, though, was that the Cybersecurity Act allowed businesses to opt out of providing threat information with no consequence. It offered liability protection and enhanced threat information from intelligence agencies to corporations that voluntarily agree to adopt new safety standards and provide information to the government.

That’s precisely what the Chamber asked for, according to a frustrated Senate Commerce Committee Chairman Jay Rockefeller (D-W. Va.). Rockefeller reacted to the Chamber’s view with a letter that said: "We have moved to a voluntary approach after extensive discussion with your organization, other private companies and other members of the Senate."

The tech-industry lobby TechAmerica, too, asked for major changes and IBM, like the Chamber, saw the CSA as likely to “quickly transform into a de facto government regulatory scheme on privately owned critical infrastructure."

Meanwhile, Oracle and Cisco, longtime opponents of various prior editions with required disclosures, came out in favor of the newest bill.

Critics say all of this side-switching is having its intended effect, which is to keep certain lawmakers guessing whom they’ll upset by supporting CSA or CISPA.

“It’s painful to watch precisely because it’s pretty obvious that the business and technology interests that oppose this are slowing it down in the hopes it will not go anywhere this year,” said Stewart Baker, the assistant secretary of Homeland Security for policy during President George W. Bush’s second term. “Everything that delays things and complicates things, it’s encouraged by the industry.”

Baker and others say some tech lobbyists privately gloat about the opportunities to exploit Congress’s polarization to manipulate the Hill into inaction. Meanwhile, lawmakers and the public hear ever more about the natural gas pipelines that are targeted, the water systems porous enough for a crippling attack and the power grids that can be darkened in mere keystrokes.

Even as the meek compromise bill was in motion in the Senate over the past two weeks, many knew it would never go into effect. Sen. John McCain (R-Ariz.) declared as much before the debate even began, urging Senate Majority Leader Harry Reid to focus on Defense reauthorization because the Cybersecurity Act had “zero chance of passing in the House or ever being signed into law.”

Several sectors are literally banking on just that — to the tune of millions in lobbyist fees.

“They’ve done a nose count on the Hill, and they don’t feel they need to pacify anyone,” said James Lewis, of the Center for Strategic and International Studies and a former cybersecurity expert for the State and Commerce departments. “There’s a strong ideological divide that takes things that would have been unquestionable 10 or 20 years ago and puts them in play. The last White House and this White House have this mantra that we should always defer to the private sector. Well, if you’re going to defer to the private sector, the private sector isn’t going to defer to you.”

Some lobbyists insist the problem isn’t merely obstruction for obstruction’s sake. Congress, they say, wants to regulate too many different sectors at once on cybersecurity. That creates inherent, probably irreconcilable conflict between competing interests.

“There are going to be many, many voices and many, many views of what could be done,” said lobbyist Norma Krayem, who represents companies in the energy, financial services and transportation sectors. “Within that group of voices, some are saying nothing should be done. It’s always easier to kill something than to get it done.”

What’s more, lobbyists know lawmakers are jittery about technology regulation after facing Internet blackouts and protests earlier this year while considering SOPA, an online piracy bill. The power of high-tech industries to disrupt everyday life to get what they want — or, rather, to not get what they don’t want — shocked and awed the Hill.

“I think the issue is not so much would they act to keep Congress from acting but that they know Congress won’t act,” said Hilary Rosen, former longtime executive director of the Recording Industry Association of America when the music industry voluntarily created labels for parents to warn them of potentially objectionable lyrics in songs. “They turn regulation into a cry for Internet freedom, whether it’s consumer protection or intellectual property enforcement or whether it’s cybersecurity.”

And those cries, Rosen insisted, come along with so much deliberately confusing tech jargon that some lawmakers can feel inadequate taking sides.

Aversion to regulation by companies in the cybersecurity debate may partly be a function of the tech industry’s relatively recent emergence in the post-Reagan era when government regulation became anathema even to many Democrats. “They’ve all burst on the scene since the 1980s,” Baker said of the big Silicon Valley firms. “They don’t have any of that legacy of the prior era. That was a different world. AT&T and Exxon grew up in that world. Cisco didn’t.”

Microsoft, which dates back to the 1970s, may be the closest in the tech space to straddling both sides of that chronological divide. As such, the company last month tried to improve its customers’ online privacy experience by announcing the newest version of Internet Explorer would have a default “Do Not Track” setting.

Instead of being embraced by competitors as a way to address online user concerns, Microsoft endured fierce blowback from Google, Facebook and online advertisers who warned the move would impede their ability to collect personal data to “enhance the user experience.” Microsoft promptly backed off.

The tipping point on cybersecurity may come if and when there’s a devastating incident. That, Baker predicted, would spur lawmakers to overcorrect — to the detriment of industries that could have crafted an amenable, effective bill now.

“Everybody has to recognize that if there is an event that really causes some problems, the folks who are arguing for less action will be unable to get their message out,” Baker said. “They’ll get a bill that could be worse than if they’d taken a little more proactive point of view.”

Lieberman could only be pessimistic about the loss Thursday. “It’s hard to see today as anything but a failure of the Senate and a setback for our national security,” he said.

This article first appeared on POLITICO Pro at 7:56 p.m. on August 2, 2012.