FAQ: What is the current status of U.S. cybersecurity legislation?

For years, U.S. officials have tried -- but failed -- to enact sweeping cybersecurity legislation. Could 2013 be the year lawmakers create rules to protect the nation's infrastructure and businesses from cybercrime?

Lawmakers on Capitol Hill have been debating cybersecurity bills for many years, but opposition from industry and civil right groups have always stymied the initiatives. In 2012, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) despite vehement opposition from online privacy advocates and the White House. The Senate, however, voted down a version of cybersecurity legislation, titled the Cybersecurity Act of 2012, in large part because of industry opposition.

There has been a wide variety of legislative proposals for safeguarding American computer systems and networks, but recent bills have focused on two goals. These include protecting critical infrastructure -- such as power plants, chemical facilities, communications networks, transportation networks and financial networks -- and promoting information-sharing between the government and industry. Information-sharing provisions examine ways to encourage private companies to inform government organizations such as the National Security Agency about cybersecurity threats and responses. For affected industries, such provisions must include liability protection should they share information protected by privacy laws.

Table of contents:

What is the status of cybersecurity legislation in 2013?

Soon after the 113th Congress convened this year, Sens. John D. Rockefeller IV (D-W.Va.), Tom Carper (D-Del.) and Dianne Feinstein (D-Calif.) introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 (S. 21). Among other stipulations, the bill calls for establishing an information sharing mechanism, a public-private risk assessment, a critical infrastructure attack response system and privacy protections.

In the House of Representatives, the Cyber Intelligence Sharing and Protection Act (CISPA) of 2013 (H.R.624) was introduced Feb. 13 by Reps. Mike Rogers (R-Mich.) and C.A. "Dutch" Ruppersberger (D-Md.). It is identical to the CISPA version that won House passage in 2012, and enjoys strong support from industry.

The reintroduced CISPA would do the following:

  1. Authorize the government to provide private companies with classified cyberthreat information.
  2. "Empower" businesses to share threat information with each other and the government on a voluntary basis.
  3. Protect from liability companies that share threat information.

More resources

Cybersecurity and American Cyber Competitiveness Act of 2013

Cyber Intelligence Sharing and Protection Act

What role has the Obama administration played in the cybersecurity bill debate?

Early in President Barack Obama's first term, he declared that cybersecurity was a priority for his administration. Officials and U.S. military representatives pressed lawmakers fervently, although unsuccessfully, to pass the Senate's Cybersecurity Act of 2012. President Obama even penned a Wall Street Journal op-ed promoting the act, and threatened to veto the Cyber Intelligence Sharing and Protection Act (CISPA) of 2012 that the House of Representatives passed.

When the Cybersecurity Act of 2012 failed to pass the Senate, in large part because of industry opposition, the White House moved to implement cybersecurity protections via executive order. Following his State of the Union address on Feb. 12, 2013, President Obama released an executive order titled Improving Critical Infrastructure Cybersecurity, seeking to strengthen the government's cybersecurity partnership with industry. The Department of Homeland Security outlined its provisions, including the following:

  • Requires federal agencies to write and share threat reports with relevant companies.
  • Allows companies outside the "Defense Industrial Base" to participate in an "Enhanced Cybersecurity Services" program.
  • Directs the National Institute of Standards and Technology to spearhead the development of a cyber-risk reduction framework.
  • Develops a voluntary program to help companies implement the risk reduction framework.
  • Requires a review of current cybersecurity regulation.
  • Requires agencies to include privacy and civil liberties safeguards based on the Fair Information Practice Principles in the order's cybersecurity activities, and regularly assess the impact of their activities.

Separately, on Feb. 12, the president signed the Presidential Policy Directive on Critical Infrastructure Security and Resilience to improve coordination between the government and industry on securing critical infrastructure. The directive calls for a research and development plan to help the government "enhance and encourage" market-based innovation. Under the directive, the government is required to "identify the functional relationships across the government related to critical infrastructure"; to come up with a "situational awareness capability" that addresses the implications of a cyber incident; and address other information-sharing priorities.

More resources

DHS fact sheet regarding cybersecurity executive order

Executive order: Critical infrastructure cybersecurity

President Obama's policy directive on critical infrastructure security

Who is behind the opposition to cybersecurity bills?

The most vocal and concerted opposition to Capitol Hill's cybersecurity efforts comes from industry groups and civil rights advocates, each taking issue with the legislative proposals for different reasons. Industry groups, including the U.S. Chamber of Commerce, lobbied against any cybersecurity proposals due to concerns that they would impose unfair regulatory burdens or costs on businesses. These industry representatives also fought to ensure that companies would be protected from liability when handing the government or other agencies' information that privacy laws safeguard.

Civil rights advocates -- including the Electronic Frontier Foundation (EFF), the Center for Democracy and Technology (CDT) and the American Civil Liberties Union (ACLU) -- have also voiced opposition to information-sharing proposals. These groups argue that the proposals do not contain sufficient consumer privacy protection.

The CDT responded scathingly when the Cyber Intelligence Sharing and Protection Act of 2013 (H.R.624) was reintroduced Feb. 13, 2013, in the House of Representatives after an identical bill failed to pass in the previous Congress. The new CISPA bill created a "sweeping exception to all privacy laws," permitting American citizens' private information to be shared with the National Security Agency and the military, the CDT argued.

More resources

Center for Democracy and Technology: Cybersecurity bill "fundamentally flawed"

U.S. Chamber of Commerce coalition letter regarding CISPA

What are the prospects of a cybersecurity bill becoming law during the 113th Congress?

After many years of sometimes-heated debate, efforts to pass cybersecurity legislation appear to face better odds in 2013. The Cybersecurity and American Cyber Competitiveness Act of 2013 (S. 21), introduced in the Senate in January, has generated less controversy than the Cybersecurity Act of 2012. In the House, however, it would be unsurprising if the Cyber Intelligence Sharing and Protection Act of 2013, reintroduced in February after being passed by the previous Congress, again did not pass.

The executive order on Improving Critical Infrastructure Cybersecurity and the Presidential Policy Directive on Critical Infrastructure Security and Resilience that President Obama signed on Feb. 12, 2013, could also serve to motivate lawmakers to pass cybersecurity legislation.

More resources

Senators reintroduce cybersecurity bill

U.S. officials: China hacking report proves need for cybersecurity bill