Senate Majority Leader Harry Reid, D-Nev., said Saturday that he will try to bring cybersecurity legislation to the floor again in the lame-duck session, giving Democrats one more chance to pass a bill that has become a top national security priority for the Obama administration. Reid's comments came in response to a Thursday night speech from Defense Secretary Leon Panetta, who warned of the urgent need to pass new cybersecurity legislation to avoid a potentially catastrophic attack.
The news also comes after more lawmakers have weighed in on the possibility of a cybersecurity executive order, which is currently being drafted by the White House. Several Republicans have spoken out against the threat of an executive order, which they claim would bypass Congress to implement new security standards on critical infrastructure providers. Democrats have framed any new rules as voluntary, but industry remains heavily opposed to such measures. Reid argued that Republicans who claim to be taking the threat seriously would have the opportunity to prove it by voting for the legislation, which failed to overcome a GOP filibuster earlier this summer.
Reid's announcement is significant for cybersecurity stakeholders, but it also appears highly political in nature, and we remain skeptical about the odds of the bill passing the Senate, let alone becoming law. As we predicted, more reports of large-scale cyber attacks have come to light since the failure of the Senate cybersecurity bill, with some officials speculating that Iran could be responsible for a recent wave of attacks that targeted utilities and other critical systems abroad. These claims are getting a great deal of play in the mainstream media, and we do not believe it's a coincidence that suddenly more information about the nature of the threat has come to light. In addition, Panetta acknowledged the Pentagon's offensive cyber capabilities, which remain largely secretive and await formal administration policy on how and when they can be deployed.
But very little appears to have actually changed with regard to the political landscape. Cybersecurity experts, Senate Democrats and the administration all appear in lockstep on the need for new protections. Industry and Republicans still appear strongly opposed to anything resembling a regulatory mandate for critical infrastructure providers, regardless of how softly it is peddled. And the broader public still remains unmoved by the issue at the voting booth, despite increasingly dire warnings about a "cyber Pearl Harbor" from senior government officials. We continue to maintain that the push for legislation is more about the need to clarify the government's ability to respond to attacks than ensuring industry takes adequate safety measures. Likewise, the government tends to feign ignorance on some cybersecurity matters, while simultaneously conducting highly sophisticated programs whose capabilities far outstrip anything currently seen in the commercial marketplace.
In other words, the administration is more serious about cybersecurity than ever before, but they're still being less than candid about the reasons they want the bill passed. While the threat of a cyberattack on the American power grid or transportation structure is real, the push for legislation is more about enshrining in the legal code activities that are likely already taking place within the government. Given the lack of transparency on the issue, it's therefore not surprising that privacy advocates and other groups that would normally side with the Democrats remain highly skeptical about the intent and implementation of the bill.
Perhaps enough senators will have shifted to allow the bill to come to the floor, but we wouldn't hold our breath. Even if the bill passed the Senate, the House remains unlikely to act on anything more than a limited public-private information sharing measure. So the push is also about ensuring that everyone's you-know-whats are covered politically in the event of a catastrophic cyberattack. Regardless, cybersecurity legislation is not likely to become law this year, or next year, and probably will have to wait until the debate progresses beyond fear-mongering to an actual debate over the substance of regulating how companies secure their networks.
Franken Pushes For Cellphone Privacy Bill: Sen. Al Franken, D-Minn., used the release of a report on cellphone privacy violations to call for new legislative protections as outlined in his bill (S 1223) requiring customer consent before communications providers collect and share location data from consumers. Franken was responding to a GAO report that found customers are often unaware that their location data could be turned over to law enforcement and are unaware of the greater risk for identity theft. Franken's bill would limit the use of mobile devices for surveillance, but the Judiciary Committee has yet to act on the bill after more than a year. Rockefeller Queries Data Brokers: Senate Commerce chairman Jay Rockefeller, D-W.Va., began an investigation last week into how data brokers manage sensitive information about consumers. Rockefeller wrote to nine major data brokers, requesting detailed information about what kind of data they sell to third parties and how much money they make from it. The move is a prelude to the online privacy debate that is shaping up for the next Congress, where lawmakers will debate expanding privacy protections for consumers online. Industry is predictably opposed to new regulations, and many prominent Web companies have been furiously lobbying against any laws that would hamper their ability to monetize the information they collect from consumers. House Panel To Look At Radio Royalty Rates: The House Judiciary Committee plans to hold a hearing during the lame duck session on the royalty rates charged to traditional radio stations, along with their Internet counterparts. Traditional over-the-air stations currently pay no royalties, while satellite and cable providers follow a cheaper fee schedule than their Web counterparts like Pandora. One proposal (S 3609, HR 6480) would lower the rates paid by Internet stations to make them level with satellite and cable radio providers, but that has predictable encountered resistance from the music industry and artists. Pandora's position has been bolstered by support from the National Association of Broadcasters, while the RIAA and other music industry groups would rather see terrestrial stations start paying more.