The 112th Congress is in a virtual state of paralysis after having balked at several opportunities to pass comprehensive cybersecurity legislation.
Senate Majority Leader Harry Reid expressed hope recently that progress could be made during the post-election lame duck session, but experts familiar with the legislative process believe the chances of that happening are slim at best.
"The only cybersecurity bill I can see possibly moving in the lame duck session is the Cyber Information Sharing & Protection Act (CISPA) passed by the House earlier this year," said Internet Security Alliance President (ISA) Larry Clinton, who frequently briefs Congress and the White House on cybersecurity policy issues.
ISA's mission is to integrate technology and business needs to promote public policy addressing cybersecurity at the national level. The organization represents organizations from the aviation, communications, defense, education, manufacturing, technology and financial sectors.
"CISPA is the only bill in the current Congress that enjoys true bipartisan support and addresses an issue the House, Senate and the Administration all agree needs to be addressed: information sharing," Clinton told SearchSecurity.com: "Moreover, this bill takes an approach broadly supported by industry of using incentives rather than government-centric and determined mandates to promote good security behavior."
CISPA is problematic though, having been spurned by a host of civil liberties groups for being too vague in its wording, for enabling the monitoring of private communications with no judicial oversight, and for allowing the private sector to hand over a multitude of information otherwise protected by privacy laws.
Clinton believes there is little chance of passing the bill during the lame duck session given how much work still needs to be done to gain enough support, noting that "it's almost impossible to see how a bill that big, complicated and controversial can get passed in a couple of weeks when it couldn't even get to the floor during the previous two years."
Realistically, the opportunity for the passage of legislation will come in the next session of Congress, probably in the form of a revamped Cybersecurity Act of 2012, Clinton said. He pointed to a bipartisan group of senators led by Democrats like Coons, Whitehouse and Blumenthal who worked with Republicans like Coats and Lugar to reform the original bill.
"This group did not really have enough time to transform the bill enough to make it politically practical to move forward this year, however the existence of a truly bipartisan group more in tune with their House colleagues does offer the prospect that Congress may seek a more progressive and pragmatic approach to cyber legislation," Clinton said. "Of course that rests on either the Obama administration moving toward an incentive model or there being a new administration both of which are at this time unknown."
Clinton believes the typical enterprise CISO should not be focused so much on the prospect of legislative action, but instead on the potential impact from an executive order President Obama is likely to issue sometime after the election in November, especially if the Senate bill fails again to pass.
While executive orders cannot create new authority, the most immediate impact will likely be for industries that are already subject to regulatory authority, such as public utilities, transportation and communications.
"In these areas I suspect the executive order will follow the path of the proposed Senate bill by calling on the existing regulatory authorities to develop best practices for cybersecurity in conjunction with Sector Coordinating Councils, as well as reviewing their current authorities to see how they can best enforce them," said Clinton, who is also chair of the IT Sector Coordinating Council.
Clinton also believes that non-regulated industries such as IT will be asked to come up with a set of industry best practices, and that CISOs in these sectors should be in active discussions with their respective Coordinating Councils to assist in developing effective policies, especially with respect to items like cost recovery, which will likely have to come through some form of enticements that have not yet been fully developed.
"ISA has been working on these economic incentives for years, but until now we have had only limited collaboration from our government partners. We think that will change when this Congress ends without passing the Senate bill and the president responds by issuing the Executive Order, which we hope will produce an incentive program for cybersecurity."