Supporters of the proposed cyber-security legislation take questions… (J. Scott Applewhite / Associated…)
WASHINGTON -- Despite warnings from intelligence officials that the U.S. is ill-prepared to stop a growing wave of cyber attacks against its crucial national infrastructure, the Senate on Thursday failed to pass a watered-down bill that would have set voluntary standards to harden the network defenses of electric utilities, chemical plants and other privately owned facilities.
Most Republicans and a few Democrats voted to block the measure even after its sponsors agreed to scale back its regulatory mandates. The U.S. Chamber of Commerce and other business groups continued to oppose it, and in a mostly party-line vote,the legislation failed to reach the 60-vote threshold needed to end debate. Fifty-two senators voted to end debate, and 46 voted against it.
"Rarely have I been so disappointed in the Senate's failure to come to grips with a threat to our country," said Sen. Susan Collins (R-Maine), the ranking member on the Homeland Security and Governmental Affairs Committee and one of the bill's chief sponsors.
Barring an unexpected compromise, the defeat makes it less likely that Congress will pass a cyber-security bill this year. In April, the GOP-controlled House passed a bill the White House opposes that calls for information sharing about cyber attacks between companies and the government, but no security standards. The Senate bill also included information-sharing provisions, which intelligence officials say would have allowed them to better detect incoming cyber attacks.
Analysts say the Senate measure ran into a wall of anti-regulatory sentiment among Republicans that has proved resistant even to dire warnings from top security officials that the nation's crucial infrastructure is woefully under-defended against the cyber threat. The voluntary standards were condemned by Republicans as too much government interference in the free market.
"No sane person has ever said that the private sector can carry the burden of national security," said James Lewis of the Center for Strategic and International Studies, who frequently advises the government on cyber issues. "The fate of the cyber-security bills is a part of a larger and damaging political debate on the role of government."
The Senate bill -- whose earliest sponsors were the leaders of the homeland security panel, Joseph Lieberman (I-Conn.) and Collins -- initially called for mandatory minimum security standards to shore up computer networks, to be crafted in close concert with industry representatives.
Those standards were designed to spur private companies that own life-sustaining equipment, including electric utilities and water systems, to improve security. Many have not been prepared to do that, arguing that the threats are speculative.
But the Chamber of Commerce, a major lobbying force in Washington, strongly opposed mandatory standards. In recent weeks, a group of Senate Republicans, including John McCain of Arizona, made it clear they would block the bill. In an effort to save it, proponents scaled it back. The version that came up for a vote called for a system of voluntary security standards and offered protection from lawsuits to companies that participate.
Those changes weren’t enough to mollify the chamber and its Republican allies.
"The Chamber believes [the bill] could actually impede U.S. cyber security by shifting businesses' resources away from implementing robust and effective security measures and toward meeting government mandates," Bruce Josten, the chamber’s chief lobbyist, wrote in a letter to senators Tuesday.
"It’s incomprehensible why they are opposing it," John Brennan, the White House counter-terrorism advisor, told reporters Wednesday. "It's not grounded in facts nor in national security concerns."
The opposition frustrated intelligence officials, who have been warning for years that cyber attacks -- the most destructive of which could tamper with nuclear, chemical, water and electric plants -- pose an increasing threat to national security.
Army Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command, said last week that it was only a matter of time before the United States is hit by a cyber attack that damages key infrastructure. He cited a June report that the number of cyber incidents reported to the Department of Homeland Security by companies that own vital equipment rose 22-fold, from nine in 2009 to 198 in 2011.
On a scale of 1 to 10, Alexander rated U.S. cyber defenses at a 3.