Cybersecurity

112th Congress Recap: In April 2012, the House passed H.R. 3523 (the Cyber Intelligence Sharing and Protection Act of 2012, or CISPA), which would compel the government to provide businesses with specific threat information and incentivize the voluntary sharing of private sector information. CISPA was widely supported by business, financial and tech groups.  In the Senate, however, Democrats and a handful of GOP members aligned to push for a more comprehensive bill. In February 2012, Sens. Lieberman (I-CT) and Collins (R-ME) introduced S. 2105, the Cybersecurity Act of 2012. In July 2012, after making concessions to business and privacy opponents, the bill was reintroduced as S. 3414. 

The revised Cybersecurity Act provided for the creation (by industry with government approval) of security standards for owners of the most vital computer networks (critical infrastructure). It also provided rewards, such as protection from lawsuits, to those who voluntarily comply with the new standards. The earlier version of the bill would have given the Homeland Security Department authority to mandate security standards for such owners. While sponsors of S. 3414 claimed the standards would be industry driven and voluntary, there were still grave concerns among business groups (led by the U.S. Chamber, supported by ASIS International) and GOP Senators that federal government would still be overly involved and that the voluntary standards could “morph” into mandatory standards. In addition, the liability protection incentives offered were not seen as sufficient.

In late July 2012, the S. 3414 was brought to the Senate floor with strong support from the Obama Administration and the military, but in early August 2012, supporters failed (in a 52-46 vote) to reach the 60 votes needed to invoke cloture, or end debate, and thus the bill was withdrawn. In the alternative, Sen. John McCain (R-AZ), offered up a more limited cybersecurity bill, S. 3342, the SECURE-IT Act, that focused on boosting threat information-sharing between businesses and the federal government and was similar to the House-passed CISPA.

As the 112th Congress came to a close with no cybersecurity bill cleared to pass, S. 3414 supporters and others urged President Obama to issue an Executive Order that could put in place some of the bill's provisions. The Obama Administration released both the Executive Order on Cybersecurity (PDF) and the Presidential Policy Directive on Critical Infrastructure Security and Resilience (PDF) on February 12, 2013, during the State of the Union Address. The Executive Order dramatically expands existing information sharing programs and provides for the sharing of unclassified threat data. It also calls for a formal review of existing cybersecurity authorities to determine what additional legislation is necessary.