The flickering hope that Congress would pass the Cyber Security Act of 2012 which addressed issues of national cyber security during its current lame duck session has been extinguished as the bill failed in a 51-47 vote. (In order to pass, the bill needed 60 votes.) The Defense Department and other key federal agencies consider this cyber legislation critical to national security and DOD officials expressed disappointment at the bill’s failure. However, as the country faces the current fiscal cliff crises, the consensus in Washington is that data breaches and cyber security issues must take a back seat to looming national economic problems.
As a result, President Obama is expected to sign an executive order known as Presidential Policy Directive 20, a classified document that was drafted after Congress first rejected the act in August 2012. The executive order reportedly will offer voluntary guidelines and a strict set of standards to guide federal agencies in confronting cyber security threats. The policy also includes state provisions regarding data breach protection and privacy defense mechanisms for U.S. citizens and foreign allies, requiring any data breach response actions to abide by international laws of war. It also states U.S. law enforcement agencies and data protection and security defenses must first be utilized before any military action is executed in battling a cyber attack.
The 2012 Cyber Security Act calls for the creation of a National Cyber Security Council to develop best practices for industries such as utilities, pipelines and financial service companies labeled as “critical infrastructure.” The bill also included a new law defining national data breach notification standards. Back in August, competing political interests stalled the bill with the White House backed Democrats lobbying for minimum security standards for critical infrastructure companies and the Republicans, supported by the U.S. Chamber of Commerce and many private companies, concerned that the security standards would only burden businesses with cyber security costs without really preventing the nation from cyber attacks. They also expressed reservations whether the government should take the lead in civilian cyber security matters and impose their mandates on private-sector companies. In addition to the disagreement, neither party could agree to a set list of amendments.
Unlike the 2012 Cyber Security Act, presidential order Policy Directive 20 isn’t subject to the same constraints of needing congressional approval which then opens the door to a debate on whether the policy is constitutional. Supporters of the policy say that since the guidelines are voluntary, this is not an issue while opponents argue that anything written as voluntary will become, de facto, mandatory since the vast majority must cooperate in order for the policy to work. As the debate rages on, one thing is sure; Policy Directive 20 is a step forward in addressing cyber defense issues that in this modern age, businesses as well as government must address in order to protect themselves from the growing number of cyber threats.