White House efforts to draft an executive order establishing IT security standards and rules for sharing information on cyber attacks have become even more important given the Senate's failure on Wednesday to pass cybersecurity legislation, according to several people involved in the matter. Still, sources say legislation remains critical to shoring up U.S. defenses against a potentially crippling cyber attack.
The executive order, which has reportedly been in the works for months, would be a "prudent" stopgap but "can only get us so far," a Defense Department official told Killer Apps. "Ultimately, we will need legislative action in order to get the full tools to help protect this nation."
Senior defense officials have been extremely vocal this year in pushing for cybersecurity legislation, warning that unless something is done to increase the cyber security of America's banks, utilities, energy companies, communications providers, and transportation firms, the nation faces a "cyber Pearl Harbor."
The Cyber Security Act of 2012, drafted by Senators Joe Lieberman (I-CT) and Susan Collins (R-ME), mandated minimum IT security standards for critical infrastructure providers, provided liability protection for businesses that share information about cyber attacks with the federal government, and restricted the information about private U.S. citizens that the government could collect. It also established the Department of Homeland Security as the lead government agency in defending U.S. critical infrastructure from cyber attack.
The bill stalled in August after Senate Republicans objected to the minimal security standards mandated in the bill, claiming they would burden businesses without protecting them from ever-evolving cyber threats.
Senate Majority Leader Harry Reid (D-NV) tried to bring the bill to the floor for a vote this month. However, that effort was rebuffed last night by Republicans who asked to insert five amendments to the bill but refused to reveal the contents of those amendments, according to Reid's office.
"They asked for five amendments last night, and we said, ‘Sure you can have five amendments,' as is protocol. We said, ‘What are they?' and they [Republicans] refused to tell us what they were," a spokesman for Reid told Killer Apps. "They could just come back to us with the five amendments they want and we could get amendment agreement and bring the bill back up [right now]. Short of that, it's hit a wall."
Sen. Minority Leader Mitch McConnell (R-KY), who blames Reid for not allowing an "open amendment" process, suggested bringing the bill back for a vote in late December, when Congress will be occupied with reaching a deal on how to reduce the deficit in order to avert massive budget cuts under the process of sequestration.
If the bill is dead for this year, as Reid has said, the Nevada senator supports the White House's executive order as a stopgap measure despite his strong preference for the issue to be tackled by the legislative branch. "If we're unable to act, he thinks the threat is serious enough that he would support some sort of executive [order] in the meantime, just to make sure we're covered," said the spokesman.
Pentagon Press Secretary George Little released a statement after the bill was killed last night saying that Defense Secretary Leon Panetta was "disappointed" to learn of the bill's failure to advance, warning that legislative inaction could have "devastating" consequences.
"Secretary Panetta was disappointed to learn that the Senate failed to move forward on the Cybersecurity Act of 2012, which would have enhanced our nation's ability to protect itself against cyber threats, which are growing at an alarming rate," said Little. "Cyber attacks threaten to have crippling effects on America's critical infrastructure, and on our government and private sector systems. The U.S. defense strategy calls for greater investments in cybersecurity measures, and we will continue to explore ways to defend the nation against cyber threats. New legislation would have enhanced those efforts. If the Congress neglects to address this security problem urgently, the consequences could be devastating."
In addition to the executive order being worked on by the White House, President Obama last month signed a classified order establishing rules that will, among other things, help government agencies determine how they will operate during offensive and defensive cyber missions.