Header graphic for print
Steptoe Cyberblog

What Happened to the Cybersecurity Bill?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

The cybersecurity bill is dead for this Congress, with cloture failing by a vote of 52-46. The Senate’s failure to reach any kind of compromise is particularly striking, given that roughly two-thirds of the basic ideas in the bill had been endorsed by all of the following: the Obama administration, Senator McCain and the great majority of Senate Republicans, Majority Leader Reid, Senators Lieberman and Collins, as well as a bipartisan majority of the House.

So, what went wrong?  Who does everyone blame if we suffer a significant attack on our civilian infrastructure before Congress returns to the issue?

On the lobbying side, there are probably two candidates.

The US Chamber of Commerce is the Democrats’ favorite whipping boy. But in this case the Democrats are right. The Chamber wanted this bill dead, and it rejected substantial efforts to accommodate its concerns on the part of Senators Lieberman, Collins, and Kyl — none of whom are exactly enemies of business. It simply pocketed the concessions and kept campaigning against the bill, threatening to make the issue a “key vote” and give supporters an antibusiness score on the Chamber’s scorecard.

A less obvious but equally important role was played by the privacy groups, whose contribution I’ve described before. The information sharing provisions in CISPA, the House bill, had support from all parts of Congress and from the Administration, but the privacy groups managed to make the provisions controversial nonetheless, trashing not just the Republican-supported CISPA but even the Obama Administration’s version of information sharing. That foreclosed any hope of reaching a compromise that would enact information sharing plus several uncontroversial provisions while stripping out the private sector standards (the Administration also rejected this half-a-loaf strategy).Istock fork

Between them, business, and privacy lobbyists provided the friction that made progress on the bill difficult. Senators on both sides of the aisle were hearing from natural allies who opposed the bill.

But Senators are capable of pushing back on constituents, especially when national security is at issue. Why didn’t that happen here?

To some extent, it did. In retrospect, kudos go to the House, which showed a surprisingly bipartisan commitment to finding a solution. When the regulatory provisions ran into the Chamber’s buzz saw, the intelligence committee and House leadership produced a half-loaf information sharing bill and mustered substantial Democratic support for it.

So who killed the bill? Again, I’ve got two candidates.

Sen. McCain played the largest role in rallying opposition to Collins-Lieberman and then was unable or unwilling to deliver a compromise when the chips were down. I’ve worked with him. I respect him. He’s an honest patriot. But he miscalculated badly here.

So did the President. In fact the President probably contributed as much as Senate Republicans to collapse of the bill. When the House was considering cybersecurity legislation, the White House it issued a veto threat against CISPA on fairly flimsy grounds — mainly its half-a-loaf nature and some remarkably trivial differences over privacy protection (e.g., CISPA relied on Inspectors General to perform privacy reviews; the White House preferred to use the Privacy and Civil Liberties Oversight Board, despite having left that board without members for nearly all of the President’s first term).

That point-scoring White House message signaled to Democrats that the cybersecurity bill was not immune from partisan gamesmanship and helped to sour the atmosphere in the Senate. The closer the election came, the harder it was for anyone to overcome their mistrust of the other side’s intentions.

That, in short, is why it’s hard to pass legislation in an election year.