From: Bloomberg/BNA
By Alexei Alexis
The Obama administration’s legislative agenda in the area of cybersecurity appears to be moving away from a push for proposed Department of Homeland Security regulations that Republicans rejected in 2012, observers told BNA.
The administration is expected to focus instead on getting help from Congress to promote industry adoption of voluntary cybersecurity standards that are being developed by the National Institute of Standards and Technology under an executive order signed by President Obama earlier this year.
“I think you will see an attempt to leverage the NIST framework through the use of incentives and possibly through current regulatory authorities,” Larry Clinton, president of the Internet Security Alliance, an industry group in Washington, said in a recent BNA interview. “I tend to doubt there will be a true push to expand DHS regulatory authority, as it would be dead on arrival in the House and probably also couldn’t get out of the Senate.”
House Package Silent on Standards
In April, the House passed a package of cybersecurity bills that excluded provisions to promote industry adoption of the coming NIST framework. Under a key House-passed bill (H.R. 624), the Cyber Intelligence Sharing and Protection Act (CISPA), companies would be granted liability protection for the sharing of cyberthreat information with other firms and the federal government (12 PVLR 671, 4/22/13).
Sen. Tom Carper (D-Del.), chairman of the Senate Homeland Security and Governmental Affairs Committee, has said that he will work with Senate colleagues on both sides of the aisle to develop broader cybersecurity legislation that complements initiatives already moving forward under Obama’s executive order.
“While information sharing is an important piece in our effort to modernize our outdated cybersecurity laws, it is only one of many elements needed to properly bolster our cyber defenses,” Carper said in an April 19 statement, following the House’s action on CISPA. “Those of us in Congress need to pay close attention to other vital elements of cybersecurity, especially safeguarding our critical infrastructure.”
Alan Charles Raul, a partner at Sidley Austin LLP, in Washington, told BNA that the House and Senate could ultimately have significant differences to resolve in conference, if the legislative process gets that far.
“Regulatory mandates to be imposed by DHS are non-starters for the House, so they will not likely be included in the product coming out of conference,” he said.
Previous Congress Did Not Enact Bill
During the previous Congress, the White House unveiled a comprehensive cybersecurity proposal with provisions to give DHS new authority to regulate cybersecurity practices across the private sector (10 PVLR 730, 5/16/11). However, the proposal was never taken up in the House, and a compromise bill (S. 3414) developed in the Senate was ultimately blocked by Republicans (11 PVLR 1680, 11/19/12).
The Senate bill would have established voluntary cybersecurity standards for the private sector. The U.S. Chamber of Commerce, a chief opponent, argued that the proposed standards had the potential to become burdensome regulations.
As a result of the congressional impasse, Obama issued an executive order in February that achieves some of goals of the failed Senate bill (12 PVLR 257, 2/18/13). The order directed NIST, a component of the Department of Commerce, to lead the development of a framework consisting of voluntary cybersecurity standards for the nation’s “critical infrastructure” owners and operators. NIST must publish a draft cybersecurity framework by the fall and produce a final version by February 2014.
“I think that the executive order accomplished about 80 percent of what the [Senate] bill would have accomplished.”Stewart Baker, Partner, Steptoe & Johnson LLP
Leave a Reply