The Senate failed Thursday to pass legislation to protect the U.S. electrical grid, water supplies and other critical industries from cyberattack and electronic espionage, despite dire warnings from top national security officials about the potential for devastating assaults on American computer networks.
Both Republicans and Democrats said they are committed to approving a final bill when they return in September from a monthlong recess. But deep divisions between the two parties over the right approach to cybersecurity will make it difficult to forge a compromise. And there is very little time left to get a deal done with presidential and congressional elections coming up in November.
The White House and Senate Democrats blamed Republicans for blocking what they called the only comprehensive piece of cybersecurity legislation that would have given the federal government and businesses the tools they need to deal with vulnerabilities in the nation's critical infrastructure. More than 80 percent of the infrastructure, which includes financial networks, transportation systems and chemical plants, are owned and operated by the private sector.
"The politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks," White House Press Secretary Jay Carney said in a statement.
Failure to approve the Senate's Cybersecurity Act of 2012 before the August congressional recess amounted to a rejection of advice from senior national security officials, including Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, who have been calling for Congress to act now on comprehensive legislation to deal with cyberthreats.
"The uncomfortable reality of our world today is that bits and bytes can be as threatening as bullets and bombs," Dempsey said in an Aug. 1 letter to Sen. Jay Rockefeller, D-W.Va.
The principal stumbling block on Capitol Hill is what role the Homeland Security Department and other federal agencies should play in protecting U.S. businesses from cyberattacks. Republicans argued the bill would have led to rules imposed by Washington that would only increase the private sector's costs without substantially reducing its risks. They also said Democrats who control the Senate tried to ram the bill through without adequate time for debate.
"No one doubts the need to strengthen our nation's cybersecurity defenses," said Senate Minority Leader Mitch McConnell, R-Ky. The issue, he added, is how the Democratic leadership "has tried to steamroll a bill that would address it."
A cloture motion filed by Senate Majority Leader Harry Reid, D-Nevada, to limit debate and force a vote on the bill fell well short of the 60 votes needed to pass, failing 52-46. Congress is scheduled to go on its August recess at the end of the week and won't return until after Labor Day.
The White House and Senate Democrats criticized Republicans for allowing the pro-business U.S. Chamber of Commerce to have such a prominent voice in a debate over a pressing national security issue. Democrats said they made substantial revisions to the legislation after the GOP and the Chamber complained it would expand the federal government's regulatory authority over businesses already struggling in a tough economy.
The new version of the bill offered incentives, such as liability protection and technical assistance, to businesses that voluntarily participated in a government-managed cybersecurity program. Industry associations and groups would be involved in developing the standards needed to blunt the risks of cyberattacks, according to the revised legislation.
But the chamber said the voluntary program was nothing more than a "springboard" to federal regulations that would take time and money away from efforts businesses already have under way to protect their networks. Once a "government-driven 'voluntary' standards system is enacted," the Chamber said on its FreeEnterprise blog, "it's only a short hop to a mandatory one because the administration has the intent and regulatory leverage."
The Cybersecurity Act would also create a framework for federal agencies and the private sector to exchanges information about cyberthreats or malicious software that can destroy computer networks if it's not detected. Provisions were included in the bill to ensure privacy and civil liberties aren't violated, said the bill's primary sponsors, Sens. Susan Collins, R-Maine, and Joe Lieberman, I-Conn.
But the Chamber and other Republicans support a competing bill drafted by Sen. John McCain, R-Ariz., that is similar to legislation passed by the House in late April. Those bills are focused only on the sharing of threat information between the federal government and private sector. The White House threatened to veto the House bill, however, over concerns the bill didn't do enough to protect privacy rights.
Dempsey and other national security officials said more than just information sharing is needed. Key to addressing the threat is the adoption of basic security requirements that will harden critical infrastructure networks and make it more difficult for cyberattackers to succeed.
"Minimum standards will help ensure there is no weak link in our infrastructure," Dempsey wrote in his letter to Rockefeller.
Speaking to reporters after the vote, Lieberman said he's not optimistic an agreement can be reached, but is open to discussions.
"The threat is so real," he said. "None of us are going to walk away from the table."