After two years of work, and on the eve of a month-long election year recess, the U.S. Senate failed today to move forward a controversial cyber security bill. S. 3414, the Cyber Security Act of 2012 introduced by Senator Joseph Lieberman (I-CT) and Senator Susan Collins (R-ME), was shot down in a maneuver by Senator Majority Leader Harry Reid (D-NV) to introduce a cloture motion, ending any further debate or amendments. The final vote was 52 Senators in favor of cloture and 46 against it; Senate rules require at least 60 votes in favor of cloture.
Two things scuttled the bill's prospects in the Senate. First, the emergence of partisanship on the previously non-partisan issue of cyber security pitted the Administration and Senate Democrats against Republicans, a newly formed rift heightened all the way around by the Supreme Court's decision to affirm Obama's health care law. Secondly, private sector critical infrastructure entities covered by the bill, with particularly potent representation by the U.S. Chamber of Commerce, opposed what they perceived as unnecessary government regulation of their cyber security practices, even as Senate Democrats (with an assist by the Obama administration) watered down provisions in the bill regarding mandates on critical infrastructure industries into "voluntary" reporting procedures regarding discovered cyber security threats.
Speaking before the vote occurred, Lieberman said "this is one of those days that I fear for our country and I'm not proud of the United States Senate. It's not that there is a speculative threat to our country – it's real and it's here now."
Lieberman said that "when it comes to cyber war, we are where we were in 1993 with Islamic terrorism," quoting General Keith Alexander, Head of the National Security Agency and a proponent of the bill who helped the Obama Administration lobby for it during a last-minute push. "We pretty much all agree on that here and yet we've descended once again into gridlock. The end result of that is a lot of sound and fury that will accomplish nothing and leave our country vulnerable."
Lieberman may be right that we're in the ignorance-is-bliss phase that precedes unexpected, impending disaster when it comes to cyber security, particularly security for our most critical infrastructures, such as the electric grid. But, like the volatile, unpredictable set of forces that gave rise to 9/11, security in the cyber age is an elusive, ever-changing target, which is why some experts favor flexible solutions as opposed to government-defined answers.
The inherently ungraspable nature of cyber security also leads to the confusing set of often contradictory rules under which most critical infrastructure providers operate. Electric utilities, for example, try to abide by the fluid (and often unclear) set of requirements and recommendations that flow forth from at least 27 different bodies, from the Cross Sector Cyber Security Working Group at DHS to the Critical Infrastructure Protection requirements mandated by industry group North American Electric Reliability Corporation to U.S. Cyber Command at the Department of Defense to a host of industry technical standard setting bodies.
It's no surprise, then, that the Senate came close but failed to pass a cyber security bill. Against the backdrop of partisan fighting and industry opposition and crazy quilt rules which attempt to make sense of a highly specialized and abstract topic, it's possible that any cyber security legislation is doomed at the outset. Lieberman says he's not "going to be petulant" and is willing to continue trying to hammer out a compromise, so don't rule out a surprise rescue.
But, as Paul Rosenzweig points out, the more likely scenario is for the Obama Administration to simply chuck the Congress and adopt many of the bill's requirements through executive order. Senator Dan Coats (R-IN) predicted as much before the cloture vote.