The attempt to pass a comprehensive cybersecurity bill before the summer recess failed today in the Senate, 52–46.
The Cybersecurity Act of 2012 was still not ready for prime time, despite several tries at moderating its more objectionable aspects. With this vote, cybersecurity legislation is not likely to move any further in this Congress.
One of the main rallying points for the opposition to the bill was its use of a regulatory structure at the heart of its provisions. The authors tried to soften it by making the regulatory regime “voluntary,” but they still allowed and encouraged regulatory agencies to make the standards mandatory. Such standards would likely cripple innovation, impose large costs on the private sector, and encourage compliance rather than true security.
Additionally, the bill’s cyber threat information-sharing provisions were heavily flawed due to weak and often conflicting liability protections, as well as the rejection of any assistance from the strongest centers of cyber capabilities: the National Security Agency and the Department of Defense. Forty-six Senators agreed that this was a bad idea.
Though cyber legislation is dead, the concern is now whether the President will override the will of the people and their representatives and simply enact an onerous regulatory structure through executive orders. President Obama has shown quite an appetite and willingness to do just this sort of end run around Congress. Regardless of his passion for this issue or his opinion on how this problem should be addressed, the Senate has not been able to find a workable bill, and its vote should be respected. In the meantime, the President still has plenty of work to do to improve federal computer systems.
A regulatory regime enacted by fiat would probably be even worse than the one in the bill. Such regulation would hurt American business and strangle innovation, and it would never be able to keep up with the speed of technology. On top of that, it would not secure our networks any better than they are now. The static nature of regulatory solutions is such that the bad guys will simply hack their way right around this Maginot Line.
Cybersecurity regulations, whether by legislation or presidential edict, are poor policy and should be avoided.