In recent years the U.S. has struggled under the weight of constant cyberattacks from China. But in recent months, a new threat has emerged -- Iran -- a nation the U.S. long wrote off a cyber-weakling.
I. Reviving S.3414
In the midst of this two-sided battle, the Obama administration is making a second pitch to members of Congress to revive and pass a slightly modified version of the Cybersecurity Act of 2012 (S. 3414).
The administration's argument is basically, "Hey, we'll take out the parts of the cybersecurity bill that you don't necessarily want to be seen supporting, and replace them with executive orders."
Most on both sides of the aisle agree that in the perfect world there would be some sort of exchange of threat information between the government and the private sector; the question is how to do that, without imposing onerous red tape on the private sector.
There is some base controversy about the fact that the administration's plan flows data through the U.S. Department of Homeland Security (DHS). Rep. Ron Paul (R-TX) has attacked the bill, which he calls a "big brother writ at large", and also called out the DHS as an "inefficient and redundant entity, commenting, "It’s the inefficiency of the bureaucracy that is the problem. So, increasing this with the Department of Homeland Security and spending more money doesn't absolve us of the problem."
Businesses are mistrustful of the government's ability to secure their risk analyses.
[Image Source: Stream 20]
But many Republicans are supportive of having the DHS handle terrorist threats -- including in cyberspace; after all it was a Republican who created the DHS in the post-9/11 aftermath.
The part that bothers the majority of Republicans is opposition from major businesses which fear Sec. 102 "Sector-by-sector cyber risk assessments". The concern from the private sector lies not so much in the cost -- businesses will generally be forced to perform such risk analyses anyhow. Rather, there's fear that the government could lose this data as it has lost masses of data in the past (Wikileaks, anyone?) exposing potentially embarrassing and damaging vulnerabilities.
So the Obama administration may snip the Sec. 102 language, while keeping the basic concept of the government sharing information on threats with private sector firms like banks and defense contractors. Senator Majority Leader Harry Reid (D-NV) is reportedly preparing to introduce the slightly revised bill, according to Reuters.
Comments Jeffrey Ratner, senior adviser for cybersecurity on the Senate Homeland Security Committee, on the removal of the Sec. 102 language, "[Bill coauthor Joe Lieberman] wants legislation [on risk analysis], but he's willing to focus on the rest of this bill, because there are important things there that he believes need to be implemented."
II. Watered Down or Bipartisan Compromise?
Sen. Joe Lieberman (I-NH) is one of the bill's coauthors, who is working with Sen. Reid, a former party colleague on the draft.
DHS Secretary Janet Napolitano says the bill will not create new bureaucracy, merely improve and codify efforts that are already underway. She comments, "We know there are … vulnerabilities. We are working with [private industry] on that."
The revised bill is likely to move closer to a bipartisan bill proposed by House of Representatives by Chairman of the House Intelligence Committee Rep. Mike Rogers (R-MI) and the top Democrat on that panel, Rep. C.A. Ruppersberger (D-MD). That bill is known as the The Cyber Intelligence Sharing and Protection Act (H.R. 3523)
The plan is to pass the pared down bill, which some critics call a "watered down" version of S. 3414. President Obama will then try to implement some of the removed features via executive orders, placing the blame or credit for them on his own administration, not Congress.
President Obama's cabinet is looking to implement the missing features of S.3414 with executive orders. [Image Source: Associated Press]
But even if that plan may be palatable to Congress, not everyone thinks it will help safeguard the U.S. Dmitri Alperovitch, chief technology officer of CrowdStrike, argued to Reuters that the real problem is that U.S. lacks the backbone to initiate digital counterstrikes or offline trade repercussions against those who attack it.
"We're having the wrong debate," he says, "What's the benefit of information-sharing if you're not going to act on the information?"
http://www.dailytech.com/Amid+Recent+Cyberattacks+Senate+Poised+to+Revive+Cybersecurity+Bill/article29086.htm