Sen. Susan Collins, R-Maine, a co-sponsor of the Cybersecurity Act, expressed disappointment at the bill's 51-47 defeat in the Senate. “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we've done less,” she said in a statement. (Sheila Vemmer / Staff)
The Senate on Wednesday failed to pass cybersecurity legislation that would set voluntary security standards for owners of critical infrastructure, such as dams, energy and water systems.
A 51-47 vote to move forward with final passage showed a clear majority in favor of the bill, but it fell short of the 60 votes needed.
“Cybersecurity is dead for this Congress,” Senate Majority Leader Harry Reid, D-Nev., said following the vote. “What an unfortunate thing.”
Sen. Susan Collins, R-Maine, a co-sponsor of the Cybersecurity Act, expressed similar disappointment. “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we’ve done less,” Collins said in a statement.
Senators were at a similar crossroads in August, but some were hopeful that Sen. John McCain, R-Ariz., and other Republicans who strongly opposed the bill would at least vote to debate the bill and introduce relevant amendments. McCain, who on Wednesday initially expressed a willingness to move forward with the bill if some amendments could be introduced, ultimately voted against the bill.
Under the bipartisan bill, critical infrastructure owners would become eligible for certain benefits if they voluntarily certify through a third party that they meet cybersecurity standards. Those benefits would include liability protections in the event of a cyber attack on their systems.
Defense Secretary Leon Panetta, who supported the bill, said he is disappointed that the bill failed in the Senate.
Republicans argued that implementing the bill would be a financial burden to industry. They also opposed the Department of Homeland Security’s role in approving and overseeing cybersecurity standards for industry.
Retiring Sen. Kay Bailey Hutchison, R-Texas, who voted against the bill, suggested that the Senate start over and allow all committees with jurisdiction over cyber to provide their input.
Absent cybersecurity legislation, administration leaders have said the president would move forward with an executive order to improve cybersecurity of the nation’s most critical infrastructure.
Senators said that a draft of the executive order is being circulated, but it is not clear when the president will sign it. The order is said to include provisions that will establish cybersecurity standards for the 18 critical infrastructure sectors in areas where regulators have existing authority to enforce those standards. The order, however, could not provide liability protections for companies that follow those standards but are attacked.
Meanwhile, President Obama signed a classified directive in mid-October, Presidential Directive 20, that explicitly defines how the military will respond to a cyber attack using both offensive and defensive capabilities, the Washington Post reported this week. The policy also includes a process to “vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed,” the Post reported, citing unnamed senior officials who had seen the directive.
Jamie Barnett, senior vice president at the Potomac Institute for Policy Studies, said the directive is a foundation that must be built on with an executive order and cybersecurity legislation. Barnett, who has not seen the directive, said that an executive order would be a companion to the president’s policy and apply to the entire government.
“This is not … everything that needs to be done,” Barnett, said of the directive. “We need a clearly articulated cyber doctrine.”