03:01 PM
Connect Directly

Congress Kills Cybersecurity Bill, White House Action Expected

White House looks primed to take action on its own after Congress again fails to pass cybersecurity legislation.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
Comprehensive cybersecurity regulatory reform failed yet again in the Senate on Thursday, but the White House is not waiting for Congress to act and will likely use an executive order to carry out some elements of the bill.

On Wednesday, Senate Republicans -- joined by a small group of Democrats -- again blocked the Cybersecurity Act of 2012 from coming to the Senate floor. Senate Minority Leader Mitch McConnell, R-Ky., attributed the opposition to a fast-tracked process and the failure to allow fully open amendments. Numerous national security officials have urged the bill's passage, but the U.S. Chamber of Commerce has repeatedly voiced strong opposition.

In response to the bill's failure, Senate Majority Leader Harry Reid, D-Nev., called the bill "dead for this Congress."

In a statement, Reid said: "A bill that was and is most important to national security was just killed and that's cybersecurity. I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cyber security threat."

The administration has already taken some actions. According to reports, President Obama in mid-October signed the classified Presidential Policy Directive 20, which sets new cyber defense standards for government agencies, including standards for defensive measures that might require agencies to reach outside their own networks.

The Obama administration has also prepared a draft executive order, which has been circulating for months, that would require additional steps to be taken. Now, it appears prepared to issue that order.

"Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need," White House Cybersecurity Coordinator Michael Daniel said in a statement. "We think the risk is too great for the Administration not to act."

A draft version of the executive order would direct the National Institute of Standards and Technology to set cybersecurity standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage adoption of these standards, and agencies responsible for regulating critical infrastructure industries would be responsible for proposing potentially mandatory cybersecurity regulations for those industries.

Information sharing is another big piece of the draft order. The executive order would set up new information sharing mechanisms that will accelerate security clearances and limit use of proprietary information. The order would also require agencies to take appropriate steps to ensure privacy of shared information.

However, an executive order can't do it all. Despite urging the President to take action, Reid warned in a statement that an executive order "leaves much to be desired" because, for example, it cannot offer companies liability protection in the event of a cyber attack.

Whlie Reid declared the cybersecurity legislation dead for this Congress, McConnell said in a statement after the bill's failure that he hopes Congress will again take up the issue "sometime in December" after dealing with other important national security legislation.

Whatever the case, the persistence of the cyber threat is one reason that action may be needed soon. The annual report of the U.S.-China Economic and Security Review Commission, released on Wednesday, found that China in particular -- which the report called "the most threatening actor in cyberspace" -- continues to represent a serious and "increasingly potent" concern for companies and government agencies that hold potentially sensitive data.

"U.S. industry and a range of government and military targets face repeated exploitation attempts by Chinese hackers," the report said, fingering China in cyber espionage and cyber attacks aimed at the Department of Defense, NASA and U.S.-based companies like Lockheed Martin, Northrop Grumman and BAE Systems. In what the report called the "most significant example of malicious Chinese cyber activity," the report said that intruders "gained full functional control over networks at the [NASA] Jet Propulsion Laboratory."

The report noted that China continues to build up its cyber forces. "The Chinese military is refining and implementing strategies for the cyber domain," the report says, noting that the military and intelligence communities each have groups concentrating on cyber war and cyber espionage. "New developments suggest Chinese exploitation capabilities are improving significantly."

The report also noted that while American businesses are not necessarily able to "sufficiently manage the threat of Chinese cyber espionage" on their own, they remain afraid of sharing information about attacks with the government. Such concerns about sharing -- and about cyber attacks -- could be allayed by the President's forthcoming cyber executive order or by some sort of action on Capitol Hill. Just when the latter will come remains, at this point, anyone's guess.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a firestarter.py supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.