With new cybersecurity legislation failing to pass the Senate this week, expectations are growing that the White House will soon step in with an executive order to shore up cyberdefenses for the power grid, water purification, and other vital systems.
White House officials have said that while the president prefers a broad legislative solution, the executive branch would have to act this year if Congress did not. A document purporting to be a leaked draft of the executive order has been on the Internet since September.
The possibility of a congressional solution this year appeared to be shot down Wednesday with the failure of a Senate cybersecurity bill introduced by Sens. Joe Lieberman (I) of Connecticut and Susan Collins (R) of Maine. Under the bill, operators of natural-gas pipelines, refineries, water-supply systems, and other vital assets would have been asked to voluntarily submit their computer networks to security testing by the Department of Homeland Security (DHS). In return, those industries would have gotten federal protection from financial liability.
An executive order could achieve some of these goals, but could not offer a liability exemption, making it potentially much more difficult for DHS to persuade private computer networks – which control 85 percent of the nation's critical infrastructure – to cooperate.
The bill failed because Senate majority leader Harry Reid did not allow amendments, said Sen. John McCain (R) of Arizona, who is the author of a competing bill. But others say the business community's concerns about the Lieberman-Collins bill were decisive.
"Frankly, the underlying bill is not supported by the business community for all the right reasons," Sen. Saxby Chambliss (R) of Georgia said on the Senate floor. "They're the ones that are going to be called to comply with the mandates and the regulations, and frankly it's just not going to give them the protection they need against cyberattacks."
Democrats say business interests trumped national security.
"Sometimes we need to make decisions that the Chamber of Commerce isn’t happy with," Sen. John Rockefeller (D) of West Virginia said in a statement Friday. "Because it’s not the Chamber’s job to worry about national security. That’s the job of our military. And they have been quite clear about what’s needed."
The Pentagon has been clear about the need for action. The most recent warning came from Defense Secretary Leon Panetta. In a speech last month, he said “an aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
For that reason, cybersecurity had appeared one of the more plausible areas of agreement, even within a divided Congress. But Wednesday's 51-to-47 vote, well shy of the 60 votes needed to avoid a GOP filibuster, marked an end to cybersecurity efforts in this session of Congress, said Senator Reid (D) of Nevada.
"The bill that was and is most important to the intelligence community was just killed, and that's cybersecurity," he said after the vote. "Whatever we do for this bill, it's not enough for the US Chamber of Commerce. So everyone should understand cybersecurity is dead for this [session of] Congress. What an unfortunate thing, but that's the way it is."
“My expectation," he said, "is that sometime in December after we have completed floor debate on the defense authorization bill, and then dispose of the intelligence authorization bill, we will then attempt to get an agreement on amendments to the cybersecurity bill.”