Cybersecurity Bill Dies, Obama Signs Cyberwar Directive. What's Next?

The Cybersecurity Act of 2012 is dead. The bill would have given the Department of Homeland Security greater control over security standards and involved it in industry efforts to protect critical infrastructure.

Opponents of the bill feared that the department would have had too much control and that too much private information would have been shared between business and government. Advocates maintain that new legislation is imperative to safeguard the nation.

"Cybersecurity Is Dead For This Congress"

Proponents of the cybersecurity legislation failed to end debate on the measure and force a vote twice this year. Senate Majority Leader Harry Reid (D–Nevada) said, “cybersecurity is dead for this Congress,” meaning nothing more likely will happen until the new Congress convenes in January. 

The bill was similar to Cyber Intelligence Sharing and Protection Act (CISPA), which the House of Reprentatives passed in April, but the Senate rejected.

Previous Cybersecurity Act Coverage:

The primary opponents of the bill were business associations such as the U.S. Chamber of Commerce, which argued that the measure would put undue burdens on small businesses. forcing them to change their day-to-day operations. Senate Republicans took the side of the Chamber. Republicans also objected to restrictions to the limitation of amendments attached to the legislation.

So what happens now?

Obama's Likely Executive Order

The Obama Administration is likely to bypass Congress by writing sections of the bill into an executive order. In some ways, this is preferable for proponents of cybersecurity legislation in that the most important aspects of the measure would be enacted, providing an immediate framework for how the country responds to cyberattacks on critical infrastructure. But an executive order probably would not assuage opponents, especially if the secretive Department of Homeland Security is the locus of the effort.

The need for cybersecurity legislation has become increasingly clear as viruses like Shamoon, Mahdi, Stuxnet and others have wreaked havoc on critical infrastructure and performed cyber espionage across the world. The U.S., which may have been behind some of these attacks, is cognizant of the need to shore up its cybersecurity efforts.

"Global IT infrastructure is a world of glass houses, and there’s an escalating trend of people throwing stones,” Mike Lloyd, chief technical officer of RedSeal Networks, told ReadWrite in an email. "Sometimes it’s necessary to move beyond your own glass house to catch someone who is threatening or actually attacking your infrastructure. "

Presidential Policy Directive 20

President Obama took the first steps toward creating effective cybersecurity legislation this week by signing Presidential Policy Directive 20, which while not an executive order, outlines the roles the role of the government in offensive and defensive cyber operations. As a directive, it adds no powers for federal agencies. A presidential directive is usually a statement from the White House outlining a national security policy framework for other agencies in the federal government. 

"The Policy Directive is attracting attention because it directly indicates that rules of engagement in cyberspace can include tracking down rock-throwers in other networks," Lloyd wrote.

"But its core message must not be missed: We need to get our own house in order.  In an interconnected global network, it won’t be possible to chase after and catch every potential rock-thrower – new threats will continue to emerge, and if we continue to ignore or poorly maintain our glass houses, the losses will continue to increase," he wrote. 

“Our existing critical infrastructure is not very hard to compromise,” Lloyd wrote. "The drum beat of publicity around break-ins for the last few years is bringing that message home."