Cyber security reform died in the Senate once again. But President Obama may sign an executive order to push many of the changes through.
Senate Republicans, along with a few Democrats, killed the Cybersecurity Act of 2012 by blocking its introduction to the floor, despite national security officials urging passage of the bill. Senate Majority Leader Harry Reid said the bill is "dead for this Congress."
"A bill that was and is most important to national security was just killed, and that's cyber security," Reid said. "I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cyber security threat."
Opponents expressed concern about whether the government should impose cyber security mandates on private-sector infrastructure operators and whether the military or Department of Homeland Security should take the lead in civilian cyber security.
The Obama administration had previously drafted an executive order implementing many of the chaqnges, and the president seems poised to sign it.
"Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need," said White House Cybersecurity Coordinator Michael Daniel. "We think the risk is too great for the administration not to act."
Cyber Threats Increasing
Chris Petersen, CTO of security analytics firm LogRhythm, told us it's unfortunate that the president needs to consider signing an executive order on cyber security.
"Ideally, Congress would recognize and act on the threat we face as a nation when it comes to defending ourselves against cyberwar and cyberterrorism," Petersen said. "These threats are real and will only increase in the years to come -- drastically and swiftly. If signing an executive order does nothing other than help move cyber security spending up the stack of 2013 IT budgets, it will be a win for us all."
There are real and valid concerns when it comes to cyber security legislation, Petersen said. One of the main concerns is additional compliance burdens on U.S. companies. While concerns are understandable, he said, the reality is that without a measuring stick companies won't know if they have gone far enough in protecting themselves.
Finding a Compromise
"Without enforcement, some companies will just kick the can down the road and hope for the best," Petersen said. "Hopefully the Chamber of Commerce and other opponents of legislation will find a compromise solution where requirements can be implemented that mandate the necessary cyber security improvements at a manageable cost."
Petersen noted that utilities and critical infrastructure industries in the United States are under constant cyber attack from nation states and other groups. It is no longer a matter of if power grids, telecommunications networks, chemical plants, water supplies and other critical infrastructure will be attacked, he said, but when will the next attack occur.
Petersen concluded: "Bolstering their IT security hardware, policies and procedures should be mandated because the stakes are too high and the damaging blow it could land to the citizens of this country and our economy is far too great to overlook any longer."