The U.S. Senate has failed once again to move forward on the Cybersecurity Act, raising the question of what is next in the struggle to legislate solutions to threats in cyberspace.
Late Wednesday, the controversial legislation fell nine votes short of the 60 votes needed to send the bill to a final vote. The vote pushes the bill's fate further into limbo, marking the second time it has failed to garner enough votes to move forward in the past three months.
“With yesterday’s Senate vote, our government has largely failed in protecting the American public in cyberspace," said Stuart McClure, CEO and President of Cylance. "The most basic and fundamental of all the bills that went to the Hill for consideration were around information sharing and they couldn’t even get that bill passed. Information sharing is literally step zero before anything else can be done to adequately respond to threats. When someone in the government knows something, they are most often not able to share the information. So if someone from the NSA learns during a classified exercise that a company has been compromised, they are often not able to share that information because it is classified data."
"This and many other examples exist that highlight why such legislation is necessary," he added.
The failure of the bill – which critics say wrongly gives power to the Department of Homeland Security, raises privacy concerns and could create burdensome regulations for industry - comes as news has leaked out that the president signed a secret directive last month to enable the military to act more aggressively against cyberattacks targeting the government's computer networks. According to sources cited by the Washington Post, Presidential Policy Directive 20 establishes "a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace."
Still in play is whether or not the president will issue an executive order to address some of the provisions of the legislation. In an interview last month on news talk show "Platt's Energy Week," Sen. Joseph Lieberman (I-Conn.) said that the order would establish voluntary security standards for critical infrastructure companies.
"[The President] could certainly set up the process ... for private-public sector development of these best practice standards and then he can try to create some rewards -- not as strong as he can do by legislation -- for companies that voluntarily opt into them," Lieberman explained.
Chris Petersen, CTO of LogRhythm, called the idea that the president needs to consider an executive order "unfortunate."
"There are real and valid concerns when it comes to cybersecurity legislation, a main concern being additional compliance burdens on U.S. companies," he said. "While concerns are understandable, the reality is that without a measuring stick, companies won’t know if they have gone far enough in protecting themselves. Without enforcement, some companies will just kick the can down the road and hope for the best.”