03:01 PM
Connect Directly

Congress Kills Cybersecurity Bill, White House Action Expected

White House looks primed to take action on its own after Congress again fails to pass cybersecurity legislation.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
Comprehensive cybersecurity regulatory reform failed yet again in the Senate on Thursday, but the White House is not waiting for Congress to act and will likely use an executive order to carry out some elements of the bill.

On Wednesday, Senate Republicans -- joined by a small group of Democrats -- again blocked the Cybersecurity Act of 2012 from coming to the Senate floor. Senate Minority Leader Mitch McConnell, R-Ky., attributed the opposition to a fast-tracked process and the failure to allow fully open amendments. Numerous national security officials have urged the bill's passage, but the U.S. Chamber of Commerce has repeatedly voiced strong opposition.

In response to the bill's failure, Senate Majority Leader Harry Reid, D-Nev., called the bill "dead for this Congress."

In a statement, Reid said: "A bill that was and is most important to national security was just killed and that's cybersecurity. I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cyber security threat."

The administration has already taken some actions. According to reports, President Obama in mid-October signed the classified Presidential Policy Directive 20, which sets new cyber defense standards for government agencies, including standards for defensive measures that might require agencies to reach outside their own networks.

The Obama administration has also prepared a draft executive order, which has been circulating for months, that would require additional steps to be taken. Now, it appears prepared to issue that order.

"Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need," White House Cybersecurity Coordinator Michael Daniel said in a statement. "We think the risk is too great for the Administration not to act."

A draft version of the executive order would direct the National Institute of Standards and Technology to set cybersecurity standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage adoption of these standards, and agencies responsible for regulating critical infrastructure industries would be responsible for proposing potentially mandatory cybersecurity regulations for those industries.

Information sharing is another big piece of the draft order. The executive order would set up new information sharing mechanisms that will accelerate security clearances and limit use of proprietary information. The order would also require agencies to take appropriate steps to ensure privacy of shared information.

However, an executive order can't do it all. Despite urging the President to take action, Reid warned in a statement that an executive order "leaves much to be desired" because, for example, it cannot offer companies liability protection in the event of a cyber attack.

Whlie Reid declared the cybersecurity legislation dead for this Congress, McConnell said in a statement after the bill's failure that he hopes Congress will again take up the issue "sometime in December" after dealing with other important national security legislation.

Whatever the case, the persistence of the cyber threat is one reason that action may be needed soon. The annual report of the U.S.-China Economic and Security Review Commission, released on Wednesday, found that China in particular -- which the report called "the most threatening actor in cyberspace" -- continues to represent a serious and "increasingly potent" concern for companies and government agencies that hold potentially sensitive data.

"U.S. industry and a range of government and military targets face repeated exploitation attempts by Chinese hackers," the report said, fingering China in cyber espionage and cyber attacks aimed at the Department of Defense, NASA and U.S.-based companies like Lockheed Martin, Northrop Grumman and BAE Systems. In what the report called the "most significant example of malicious Chinese cyber activity," the report said that intruders "gained full functional control over networks at the [NASA] Jet Propulsion Laboratory."

The report noted that China continues to build up its cyber forces. "The Chinese military is refining and implementing strategies for the cyber domain," the report says, noting that the military and intelligence communities each have groups concentrating on cyber war and cyber espionage. "New developments suggest Chinese exploitation capabilities are improving significantly."

The report also noted that while American businesses are not necessarily able to "sufficiently manage the threat of Chinese cyber espionage" on their own, they remain afraid of sharing information about attacks with the government. Such concerns about sharing -- and about cyber attacks -- could be allayed by the President's forthcoming cyber executive order or by some sort of action on Capitol Hill. Just when the latter will come remains, at this point, anyone's guess.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Disappearing Act: Dark Reading Caption Contest Winners
Marilyn Cohodas, Community Editor, Dark Reading,  3/12/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.