WASHINGTON (Bloomberg) — There’s almost universal agreement that the United States faces a catastrophic threat from cyber attacks by terrorists, hackers and spies. Washington policymakers just don’t seem able to do anything about it.
Even with the consensus about vulnerabilities in U.S. networks, and with hundreds of billions of dollars at stake, Congress failed to pass cybersecurity legislation that was four years in the making and had sponsors from both parties.
The measure succumbed in August amid partisan gridlock and aggressive lobbying, even though lawmakers had heard warnings for years about holes in corporate and government systems that imperil U.S economic and national security.
“Based on my experience, very few people on the Hill get this,” said Shawn Henry, who stepped down as executive assistant director of the FBI in April. “You can’t see it, touch it or taste it, so it’s somehow not real.”
Senate Majority Leader Harry Reid, a Nevada Democrat, Wednesday failed to muster enough votes to revive the measure. The bill’s demise reveals how partisan bickering, tactical errors, industry lobbying, conflicting interests, and ignorance can trump even national security concerns, according to documents and interviews with advocates and opponents in the Senate, the administration and the business community.
The legislation’s collapse leaves President Barack Obama with few options, administration officials said in interviews. One possibility officials have discussed is an executive order aimed at achieving some of what the legislation could have done to shore up private-sector networks.
Last month, Obama signed a separate cybersecurity directive authorizing the National Security Agency and other military units to take more aggressive action to defeat attacks on government and private computer systems.
An Oct. 4 Bloomberg Government study by Afzal Bari and Jason Wilson concluded that any future order from Obama likely would promote almost real-time monitoring of crucial systems, which “may require companies to provide network information through systems connected to the federal government.”
“We are still going to need legislation to do the things that we think need to be done,” White House Cybersecurity Coordinator Michael Daniel said in an interview. “An executive order is not an adequate substitute.”
All sides concede that they made mistakes that contributed to the failure of the bill. The Senate measure was championed by Sens. Joseph Lieberman, a Connecticut independent who is retiring, and Susan Collins, a Maine Republican.
The White House focused its efforts on a gridlocked Senate rather than on the Republican-controlled House, which had passed several less ambitious cybersecurity bills.
Congressional Democrats sought to give the Department of Homeland Security ill-defined powers to set new cybersecurity standards and failed to come up with credible estimates of what those standards would cost.
Many Senate Republicans took their cues from the U.S. Chamber of Commerce and businesses that framed the debate not as a matter of national security, but rather as a battle between free enterprise and an overreaching government, according to documents and descriptions of lobbying efforts.
The Senate bill “would have created a new bureaucracy that would have slowed down the process and forced companies to focus on compliance with new government mandates that would not insure better and faster notifications of cyber threats,” Kay Bailey Hutchison of Texas, the top Republican on the Senate Commerce Committee who also is retiring, said in an email.
Many companies also feared that regulation would expose them to a greater risk of shareholder liability suits in the event of an attack, an issue compounded by the fact that it’s easier to estimate the cost of stiffer defenses than to guess the price of a possible attack, said congressional aides who worked on the Lieberman-Collins bill and discussed it on condition of anonymity.
Add to those uncertainties the fact that no bill can offer perfect protection, said the White House’s Daniel.
“Currently, bad actors don’t have to be sophisticated to cause significant consequences,” he said. “We want the bad actors to not be able to succeed as easily,” even though that’s “not going to stop them from trying.”
The latest warning about the peril of terrorist-led cyber attacks came Wednesday from the National Academy of Sciences, which cautioned in a report that an assault on the U.S. power grid could leave millions of people in the dark for months and cause billions of dollars in damage.
The report is the latest in a long string of alarms about the vulnerability of the nation’s Internet backbone, underscored by constant probes and attacks on government, banking and other computer networks. The next attack, Defense Secretary Leon Panetta said in an Oct. 11 speech, could derail passenger trains, spill toxic chemicals or cause widespread blackouts.
“The collective result of these kinds of attacks could be a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life,” Panetta said. “In fact, it would paralyze and shock the nation.”
Congress’s failure to pass a cybersecurity bill has left the U.S. unprepared and ill-equipped to cope with an Internet assault on the computer networks that control much of the nation’s physical and financial nervous system, Panetta said.
Almost from the beginning, though, congressional aides said in interviews, the Lieberman-Collins bill was hampered by the secrecy that blankets government cyber programs and the difficulty in grasping the technology behind attacks and defenses. Only a handful of lawmakers understood the threat, people who briefed them regularly said.
The government’s top cybersecurity officials staged a classified demonstration for dozens of senators in March in an effort to change that. They simulated a cyber attack that paralyzed New York City’s power grid, causing multiple deaths and billions of dollars in damage, two officials said.
While government researchers had identified a vulnerability in the nation’s electrical grid years ago, lawmakers said during a congressional hearing in 2008 that no U.S. or state agency could compel power companies to act.
“That was really the key moment,” said Jacob Olcott, a former Democratic staffer on the Senate Commerce Committee and a cybersecurity specialist. “That’s when we realized that there was a gap in the existing regulatory authority, and the private sector was doing little to improve security on its own.”
The bill Lieberman and Collins introduced in February granted that authority to the Homeland Security Department, which handles civilian cybersecurity issues. The choice of DHS, already under fire for its airport-screening procedures, was an immediate target for Republicans.
Under the bill, DHS would regulate computer systems that could cause mass casualties or significant economic damage if they were manipulated or destroyed. Those vulnerable points would be identified by a public-private review process.
In interviews, several Republican aides said the review process could take years, and the bill would leave DHS free to define the limits of its own power.
“When before have we given an agency regulatory authority without defining who would be regulated?” said Brian Rogers, a spokesman for Sen. John McCain, R-Ariz.
Another business concern, echoed by Senate Republicans, was that making DHS the switchboard for exchanging threat reports would disrupt existing information-sharing arrangements, for example between defense and technology firms and the NSA.
Advocates of new federal standards found themselves facing opponents that included the Chamber of Commerce, the nation’s largest business lobby, AT&T and Verizon Communications, as well as energy companies and electric utilities.
Private industry, business lobbyists argued, could adapt to changing cyber threats faster than government could, and new federal standards would curb their freedom to innovate.
The Lieberman-Collins bill’s proposed standards also were so vague, Senate Republican staffers said, that the nonpartisan Congressional Budget Office was unable to score the legislation.
“Until someone can argue both the national security and the economic parts of it, you’re going to have these dividing forces,” Melissa Hathaway, a White House cyber official in the Bush and Obama administrations who left in 2009, said in an interview. “Most likely, big industry is going to win because at the end of the day our economy is still in trouble.”
Administration officials brought Senate staffers from both parties to the White House Situation Room for cybersecurity briefings in 2011. The goal, said an official familiar with the effort, was to create a sense of urgency in the room where the president had monitored the raid that killed Osama bin Laden.
By this summer, though, business and Republican opposition to new federal standards had hardened. With weeks to go before the Senate’s summer recess, the measure’s sponsors diluted their proposal on July 19 to attract more Republican support.
The revised bill made infrastructure standards voluntary and offered incentives such as liability protection and expedited government security clearances. The new standards would be overseen not by DHS but by a multi-agency council.
Responding to criticism from privacy and civil-liberties advocates, though, the new bill still put DHS, a civilian agency, in charge of the information-sharing provisions.
The compromise didn’t win a single Republican vote.
“The lobbyists smelled blood in the water,” said Olcott, now a principal at Good Harbor Consulting, a security-risk firm based in Arlington, Va.
The administration then called up the troops to make a last-ditch appeal to Republicans. Army Gen. Keith Alexander, the head of the NSA, which helps guard the government’s computer networks, told lawmakers on July 30 that the U.S. had evidence that adversaries have penetrated civilian networks. He compared the moment to 1993, the year of the first World Trade Center bombing, which was a precursor to Sept. 11, 2001, attacks.
“They’re practicing,” Alexander said.
His warning shook many of the lawmakers, while opponents’ remained determined to kill the measure.
The next day, July 31, Senate Minority Leader Mitch McConnell, R-Ky., signaled that Republicans weren’t even planning to debate the bill. Instead, their first amendment to it would repeal Obama’s health-care overhaul.
Republicans seeking a compromise took one last shot. In a tense meeting between the Chamber of Commerce and a group of senators on Aug. 1, the day before the scheduled vote, Indiana Republican Dan Coats argued that legislators had to be open-minded and flexible, according one eyewitness.
Bruce Josten, the chief lobbyist for the Chamber, cut Coats off and dismissed similar comments by Lieberman, attendees said.
The Chamber doesn’t discuss private meetings with members and legislators, spokeswoman Jamie Glick said in an email.
On Aug. 2, Senate Republican national security hawks, including McCain and Hutchison, all voted to block the bill.