Why Congress Hacked Up a Bill to Stop Hackers
On March 7, 2012, the Obama administration staged a mock cyberattack on the U.S. In a classified briefing for senators in the Capitol, FBI Director Robert Mueller, Department of Homeland Security Secretary Janet Napolitano, and other officials imagined a shutdown of New York City’s power grid that resulted in scores of deaths and billions of dollars in losses. Think Hurricane Sandy’s blackouts, only spread to all of Manhattan and the boroughs.
At the time, lawmakers were fighting over an administration-backed bill that would require the computer systems that control utilities, chemical plants, oil pipelines, and other “critical infrastructure” to be hardened against sabotage by hackers and foreign spies. Under the bill, the government would also share secret information about digital espionage with corporations that store sensitive data, helping them to protect against China and other governments that target U.S. industrial research and financial records. The U.S. is ill-equipped to cope with an Internet assault on the computers that undergird much of the economy, and no federal agency has the authority to compel companies to protect themselves. The bill, called the Cybersecurity Act of 2012, was intended to fix that—and the White House believed the mock attack would underscore its urgency.
Several senators said they were rattled by the presentation, according to a White House official who was there. Others dismissed it as hype. Either way, it wasn’t enough to close the deal. After a long summer of tense negotiations, the bill died in August. Republicans rejected it as a government power grab that would create another intrusive federal bureaucracy. Corporate and power-industry lobbyists argued it would cost businesses billions to meet the new standards, with no assurance that they’d be effective. Even Democrats who supported the bill privately conceded it couldn’t specify exactly what the regulations would require and how much they would cost. “Based on my experience, very few people on the Hill get this,” says Shawn Henry, who stepped down as executive assistant director of the FBI in April. “You can’t see it, touch it, or taste it, so it’s somehow not real.”
As Congress returns to D.C. to haggle over the fiscal cliff, Democrats see an opportunity to revive the cybersecurity bill. On Nov. 14, Senate Majority Leader Harry Reid of Nevada once again brought it to the floor, where Republicans quickly blocked it. The point of the vote was to put the issue back in the news—and signal that Democrats would continue to press it in the new Congress next year. Yet if the bill’s backers hope to make any progress, they’ll have to avoid repeating the many mistakes that doomed it before.
In a particularly mean election year, the cybersecurity bill—co-sponsored by Republican Senator Susan Collins of Maine and Democrat-turned-Independent Joe Lieberman of Connecticut—was supposed to float above the usual partisan sniping. Although Democrats and Republicans strongly disagree about how much power the government should have in dictating what companies must do to ward off attacks, there is general agreement on Capitol Hill that the nation’s computer systems are increasingly vulnerable to malicious hacking and cyber-espionage. Last year hackers linked to China’s military took control of a senior plant manager’s computer at the Diablo Canyon nuclear power plant north of Santa Barbara, Calif., a breach that company investigators concluded was meant to identify the operations and security of U.S. nuclear reactors. Chevron recently reported that Stuxnet, the computer worm reportedly created by the U.S. and Israel to disable Iran’s uranium processing facilities, wound up infecting its systems in 2010. The virus was designed to be harmless to computers outside Iran. Its quick spread to industrial networks all over the world exposed how vulnerable those systems are to sophisticated cyberweapons.
Yet the legislation meant to prevent those kinds of attacks was immediately bogged down in arguments over the details. The bill gave the huge task of enforcing the new law to the Department of Homeland Security. That decision alone was enough to derail it. A decade after its creation in the aftermath of Sept. 11, DHS is widely ridiculed by Republicans as a backward, poorly managed agency, symbolized by the blue-shirted airport security screeners who make air travel a hassle. There was no other obvious choice, however: The Pentagon couldn’t be given the job of regulating civilian industries; neither could the FBI.
The broad powers DHS would be granted under the proposed law were another sore point. The law would only apply to computer systems whose hacking could result in mass casualties or significant economic damage. Bank of America, yes. Taco Bell, no. Rather than try to regulate entire industries, DHS would identify their most sensitive parts—a certain chemical plant, or a hub in the country’s telecommunications network. But how they’d choose was unclear. Should major online retailers fall under the law? Should doctors’ offices? The bill didn’t say. Instead, a to-be-determined “public-private review process,” run by DHS, would figure out what parts of which industries were subject to the law. “When before have we given an agency regulatory authority without defining who would be regulated?” asks Brian Rogers, a spokesman for Senator John McCain of Arizona. Like other GOP senators, McCain objected to the bill partly because he said it left DHS to decide the limits of its own power.
Lobbyists for public utilities and business, including the U.S. Chamber of Commerce, complained the legislation wasn’t explicit about what industries would have to do to enhance their security. The bill empowered DHS to establish new standards for critical computer networks, but those would be written only after the bill became law. Security analysts say the new standards would almost certainly require companies to replace decades-old industrial computers that are especially vulnerable to attack—a costly proposition, as it would require shutting down businesses while the fixes are made.
The legislation also called for the government and businesses to share information on cyberthreats, with the DHS acting as a switchboard among them. The lobbyists argued that private industry could adapt to changing cyberthreats faster and more efficiently than government could, and that new federal standards would deprive them of the freedom to innovate. The information-sharing requirements drew criticism from consumer groups and civil liberties activists, who feared the law would give the government the ability to peer into private citizens’ personal data.
Then there was the question of how much it would cost businesses to comply with the new law. Because the bill was light on details, Republican Senate staffers said in interviews, the bipartisan Congressional Budget Office was unable to calculate its price tag. A former Obama administration official, who asked not to be named, said Democrats erred in not commissioning a study to address the economics of the bill, which might have given them ammunition to calm companies’ concerns over runaway costs. “Until someone can argue both the national security and the economic parts of it, you’re going to have these dividing forces,” says Melissa Hathaway, a senior White House cyber official in the Bush and Obama administrations who left in 2009. “Most likely, big industry is going to win because at the end of the day our economy is still in trouble. You can’t have an unaffordable tax on industry, not in these times.”
By midsummer, the bill was in jeopardy. A nearly yearlong lobbying effort by Democrats and the White House had failed to persuade more than a handful of Republicans. The administration even invited Senate staffers from both parties to briefings in the Situation Room in the White House. The goal was to create a sense of urgency in the same room where the president had monitored the raid that killed Osama bin Laden, according to an official with knowledge of the meetings. None of it worked, and the bill stalled.
In July, with weeks to go before the Senate’s summer recess, the measure’s sponsors diluted their proposal to attract more Republican support. They made the standards voluntary and offered incentives such as liability protection against lawsuits for companies that complied. The law would no longer be overseen by DHS, but by a multiagency council led by the Homeland Security secretary. Some in the White House thought the retreat was a mistake, according to an official familiar with the administration’s thinking. They had always believed they’d eventually have to cave but thought Senate leaders did so too soon.
The concessions didn’t win a single Republican vote. “The lobbyists smelled blood in the water,” says Jacob Olcott, a former Democratic staff member on the Senate Commerce Committee who’s now a principal at Good Harbor Consulting, a security-risk firm. Sensing weakness, the Chamber of Commerce—which had once argued for voluntary standards—dug in against them. “I thought we’d get a lot better response than we got,” says Lieberman. “The Chamber didn’t budge. While we were compromising, they were not only not meeting us halfway, they were moving a little further away from their own statements from before.”
The administration called in the Pentagon to make a last-ditch appeal to Republicans. On July 30, U.S. Army General Keith Alexander, the director of the secretive National Security Agency, which helps guard the government’s computer networks, addressed a group of lawmakers in a packed room in the Capitol. He said the U.S. had evidence that foreign nations had penetrated the nation’s civilian computer networks, comparing the moment to 1993, the year of the first World Trade Center bombing, the precursor to Sept. 11, 2001. “They’re practicing,” Alexander said, according to a person who was in the room.
His warning shook many of the lawmakers, but not those determined to stop the bill. The next day, Senate Minority Leader Mitch McConnell of Kentucky signaled that he was no longer taking the legislation seriously: He proposed an unrelated amendment calling for the repeal of Obamacare, which meant Republicans would use up debate time talking about that instead of cybersecurity. The bill was effectively dead.
Lieberman, who is retiring from the Senate in January, argues that corporate efforts to kill the bill have left U.S. businesses more vulnerable to a massive attack, and to the lawsuits that inevitably would follow. ‘‘If there’s an enormous cyberattack, and there’s terrible damage as a result, there will be litigation … that will threaten the existence of those companies,” he says. That may be what gets Republican lawmakers and business lobbyists back to the table next year.
The president is increasing the pressure. After the bill failed in August, he circulated the draft of an executive order that would put in place some of the controversial cybersecurity standards the legislation sought to establish. That would leave room for Congress to work out a deal on the less contentious parts of the bill, such as information sharing, that both sides support. Obama’s message was clear: If Congress can’t do the hard work, he’ll do it without them.