Congress Back; No Cyber Bill in SightChances of Infosec Bill Passing in 2010: Zilch, Insiders Say
"There is little prospect of legislation in the lame duck; they just have too much else important to accomplish and there is little appetite for difficult work," says Paul Rosenzweig, visiting fellow at the Heritage Foundation and onetime deputy assistant secretary for policy at the Department of Homeland Security.
Oe knowledgeable congressional insider predicts, the chances of cybersecurity legislation to pass this year are zilch. That sentiment was echoed by former Rep. Tom Davis, the last Republican to chair a congressional committee with cybersecurity oversight, and forecasted by Sen. Thomas Carper, the Delaware Democrat who chairs a Senate panel with cybersecurity oversight, who said before the midterm election that a big Republican victory would likely mean that any significant action on cybersecurity would wait until the 112th Congress, when the GOP would have more sway. Carper, in the interview, said Republicans would be less anxious to pass much in the lame-duck session. "They'll just say, 'Well, we'll just wait and come back in January when there are stronger numbers, and then reengage.'"
In the next Congress that convenes in January, Republicans will take back control of the House of Representatives and will reduce the Democratic majority in the Senate.
"Given the limited time for the lame duck session and other pressing issues - appropriations, extending the tax cuts, the debt ceiling - it is hard to imagine that a standalone cyber bill has a chance," says Franklin Reeder, a founder of the not-for-profit Center for Internet Security and former official in the Office of Management and Budget.
That said, hope - for some - springs eternal for some sort of cybersecurity bill to be enacted this year. Cybersecurity, a national defense issue, has wide bipartisan support, and has avoided the partisan bickering between Republicans and Democrats heard on other issues.
The best chance, albeit a slim one, for passage of significant cybersecurity legislation this year would be adoption of a House-approved Defense Department funding bill that contains significant IT security provisions, including requirements for government agencies to move to continuous IT security monitoring and the creation of a Senate-confirmed, White House cybersecurity director. "I believe that the National Defense Authorization Act is still in play and I am hopeful that it passed before the end of the session," says Melissa Hathaway, senior adviser at Harvard Kennedy School's Belfer Center and the former National Security Council official who last year led President Obama's cyberspace policy review.
But political squabbling could derail that bill. The House-passed version of the National Defense Authorization Act includes a provision to repeal the "don't ask, don't tell" law that bars gays from serving openly in the military. That proviso has resulted in a Republican filibuster of the measure, and supporters haven't been able to muster the 60 votes needed to end the stalemate. Unless Democrats agree to rid the bill of the "don't ask, don't tell" repeal provision, the defense measure that usually passes Congress every year without much opposition could remain in the Senate hopper.
The Senate version of the National Defense Authorization Act, aimed primarily at the Defense Department, also would require the DoD to report to congress on cyberwarfare policy that includes a review of legal, strategy and doctrinal issues; fund cybersecurity demonstration projects using commercial technology; develop a tailored acquisition process for cyberspace; and create a strategy to address software vulnerabilities and supply-chain risk mitigation strategies.
Advocates for comprehensive cybersecurity reform could get a better result if lawmakers wait until next year to take action rather than enacting a halfhearted measure in the waning days of the 111th Congress. "The dilemma is that, if limited FISMA (Federal Information Security Management Act) reform is enacted in the lame duck session," Reeder says, "the sense of urgency to move broader cybersecurity legislation in the 112th Congress will diminish and other important reforms, especially dealing with workforce issues, could fall by the wayside."