After months of debate, Senate sponsors of a broad cybersecurity bill have buckled to industry and Republican pressure to avoid any new government standards for critical networks.
Leaders of the Senate Homeland Security, Intelligence, and Commerce committees reintroduced a version of the Cybersecurity Act of 2012 on Thursday that drops any new authority for the Homeland Security Department to set and enforce standards. The bill is expected to be considered as soon as next week, after the tax bill.
“This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity,” Homeland Security Committee Chairman Joe Lieberman, ID-Conn., said in a statement. That’s exactly what businesses and Republican leaders have been pushing for months.
The move is a setback for the White House, which strongly backed the original Cybersecurity Act and criticized the House for not including similar critical-infrastructure authorities.
In an op-ed for The Wall Street Journal scheduled to be published on Friday, President Obama compared cybersecurity to security standards for aircraft and nuclear plants.
"The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements," he writes.
The White House and federal officials have been calling for at least some authority to enforce standards for the most critical networks, and Lieberman and Senate Majority Leader Harry Reid, D-Nev., had been holding fast against Republican criticism for months. Reid and other sponsors had insisted that when the bill was brought to the floor, it would gather enough support to pass.
But with calls growing for Congress to act to help secure computer networks from attack, the bill’s sponsors appear to have given up on trying to find enough votes to approve new authority. The House took a similar approach when it also left out any new authorities in a slate of cybersecurity bills passed in April.
“While I still prefer the regulatory approach, and believe that it would better protect our country, we are moving forward in the spirit of compromise with an incentives-based voluntary approach because it is a crucial matter of public safety and national security that we do something now to ensure our most critical infrastructure is protected from cyberattacks,” Commerce Committee Chairman Jay Rockefeller, D-W.Va., said in a statement.
The revised bill would establish a multi-agency National Cybersecurity Council, and includes provisions for businesses to create voluntary standards, as well as measures to increase information-sharing and boost federal network security. In response to concerns from civil liberties groups, other new changes to the bill restrict the way information can be shared.