The latest buzz on cybersecurity legislation is that Sens. Sheldon Whitehouse, D-R.I., and Jon Kyl, R- Ariz., are in the process of brokering a compromise that would ostensibly split the difference between competing Senate proposals (S 2105, S 2151). The talks are a last-ditch attempt to satisfy Democrats and cybersecurity hawks by addressing critical infrastructure, while appeasing industry concerns by making any security standards purely voluntary. Incentives such as liability protections and classified security clearances are among the potential incentives that could be used to lure companies into complying with the proposal, which is still being evaluated by the various stakeholders. The U.S. Chamber of Commerce, which has become a prominent voice of the opposition, is expected to offer its opinion on the proposal later today.
But compromise may be too generous a word, considering where the legislation now stands compared to the original intent of its sponsors. The Senate deal would likely give companies a good deal of input in determining both which sectors would be designated as covered critical infrastructure, and what standards companies would need to meet in order to be considered compliant. In other words, the standards will be written by industry and for industry, again casting doubt on their efficacy. And there's still no guarantee the Chamber will sign off on the latest language.
As one cybersecurity expert told me yesterday, it's hard to accuse the Democrats of caving on minimum security standards for critical infrastructure, when their previous bill already included industry exceptions large enough to fit a Mack Truck (or power grid). Said expert believes that even as it stands, the legislation will do little to operationally improve cybersecurity in the U.S., with the exception of some of the bill's information sharing measures. But that won't stop sponsors such as Homeland Security Chairman Joe Lieberman, I-Conn., from declaring victory if a bill passes later this month.
So where does that leave us? As we've predicted all along, it appears the information sharing measures passed by the House earlier this year (HR 3523) will be the most we can expect from cybersecurity legislation, at least in the short term. While cutting down the barriers to information sharing between the public and private sector is nothing to sneeze at, it appears neither chamber will mandate that critical private companies take the steps needed to protect their systems against a potentially catastrophic attack.
So it appears that even if cybersecurity legislation does get done this session, whatever passes will fall well short of the goals espoused by the White House and Senate leadership. Not surprising, considering Democrats have uncharacteristically been forced to take a position strongly supported by the military but opposed by liberals, industry and civil liberties advocates. Supporters genuinely believe that baseline security standards are needed to protect the U.S., while Republicans have shown that industry-friendly information sharing provisions are all they are willing to stomach at present. Even those information sharing measures have drawn significant opposition from privacy and civil liberties advocates, putting the White House at odds once again with key portions of its base. At this point it appears that only a game-changing event, such as a catastrophic cyberattack on U.S. soil, would change the political landscape on cybersecurity. If and when that happens, the warnings of the experts will likely be of small comfort.
Broadcasters File a Stay Against Political File Rule: The National Association of Broadcasters filed a motion (PDF) on Tuesday to stay the implementation of the FCC's online political file rules, which would require TV stations to post data online regarding who pays for political ads. Currently stations are required to keep such information in their public file at the station, but the FCC's new rule would require that such information be posted online. The broadcasters have argued the requirement would impose an undue burden on their businesses, and argue such actions are more rightly the purview of the Federal Election Commission. House Lawmakers Press FCC on Spectrum Auction: Members of the House Energy and Commerce Subcommittee on Communications and Technology pressed all five FCC Commissioners for details on the upcoming spectrum auction at an oversight hearing on Tuesday. Congress earlier this year authorized the auction, which is designed to free up spectrum held by the broadcasters for use by wireless companies. The rising demand for wireless broadband has added urgency to the auctions, which can take years to set up and executive. A speedier option may be freeing up more government spectrum, as the federal government is the largest holder of airwaves in the country. Several lawmakers called for the government to relinquish more spectrum and take an inventory of how it currently uses the precious resource. House Panel Considers Child Pornography Bill: The House Judiciary Committee approved a measure (HR 6063) on Tuesday designed to combat child pornography by increasing criminal penalties and authorizing the $300 million renewal of a five-year task force aimed at helping authorities respond to cases of child exploitation online. The bill passed with bipartisan support, but only after the defeat of an amendment that would have scaled back provisions that are designed to safeguard victims and witnesses, and help U.S. marshals track down sex offenders that fail to register their whereabouts. Identity Theft Bill Advances: House Judiciary also approved a bill aimed at combating identity theft (HR 4362), which would add tax return identity theft to the list of aggravated identity theft statutes. It would also expand the definition of a victim of identity theft to include organizations such as businesses and charities. The bill drew some concern from Rep. John Conyers, D-Mich., who argued that increased minimum sentences foster racial discrimination and cost taxpayers money. But Congress has steadily increased the penalties for digital crimes in recent years, giving the legislation a good shot at passage if it reaches the House floor. CRS Reports: The Congressional Research Service recently released new reports relating to cybersecurity (PDF), the USDA's Broadband Loan and Grant Programs (PDF), and the roles of the USDA's Rural Utilities Service and the FCC's Universal Service Fund (PDF). FTC to Announce Record Fine Against Google: The Federal Trade Commission will reportedly fine Google $22.5 million for bypassing the privacy settings for millions of users of Apple's Safari browser. The action comes after the search giant allegedly violated the terms of its settlement agreement with the FTC over the failed rollout of its Buzz social network. Under that agreement, Google faces fines of up to $16,000 per violation, per day when it misrepresents it privacy practices or fails to honors its privacy pledges.