Feeds

Republican filibuster blocks Senate Cybersecurity bill

Online security includes abortion rights it seems

Beginner's guide to SSL certificates

The latest attempt by the US government to ensure some kind of security standards for its critical infrastructure has failed, with Senate Republicans having blocked legislation over concerns at over-regulation of business and the weighing-down of the bill with useless ammendments.

"Despite the President’s repeated calls for Congress to act on this legislation, and despite pleas from numerous senior national security officials from this Administration and the Bush Administration, the politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks," said the White House in a statement.

The US Cybersecurity Act 2012 originally called for mandatory security standards to be enforced for companies forming the US national critical infrastructure – a rather nebulous term used to cover power, communications, water and the other stuff that makes life relatively safe and bearable. The government only has oversight of around 20 per cent of this, with private companies running the rest.

After the Republicans enforced a filibuster, the bill failed to meet the 60 votes required at a 52-48 split, with five Republicans and five Democrats crossing the floor. The US Chamber of Commerce, a lobbying group which was in the vanguard of opposition to the bill, applauded the vote.

"While we thank the co-sponsors for their efforts on the issue of cybersecurity, the legislation voted down today would have given the federal government too much control over what actions the business community could take to protect its computers and networks," Ann Beauchesne, its VP of National Security told El Reg in an emailed statement

Owing to the peculiar nature of the US legislative system, various irrelevant amendments were tacked onto the plan, including two to limit abortion, a motion to limit the sale of high capacity gun magazines, and an amendment by Senate Minority Leader Mitch McConnell (R-Kentucky) to repeal the Affordable Care Act.

The bill was watered down to down to make security standards voluntary but that wasn't enough to appease critics. The legislation also worried civil liberties groups with its lack of privacy protections, although these were in part addressed.

"Regardless of today's vote, the issue of cybersecurity is far from dead,” said Michelle Richardson, ACLU legislative counsel, in a statement. "When Congress inevitably picks up this issue again, the privacy amendments in this bill should remain the vanguard for any future bills. We'll continue to work with Congress to make sure that the government’s cybersecurity efforts include privacy protections. Cybersecurity and our online privacy should not be a zero sum game."

The failure of the bill will leave many in the security industry seriously concerned. At last month's Black Hat and DEFCON meetings, current and former government representatives warned that the situation for the US in cybersecurity terms was dire. General Keith Alexander, director of the NSA and head of US Cyber Command, called for the hacking community to help keep America safe.

Based on what attendees were telling El Reg, the security community is perfectly happy to share information with the government, so long as it's a two-way street. The most common complaint is that government wanted all their hacks, but offered nothing in return when it came to locking down anyone else's systems.

The Cybersecurity Act would have formalized some kind of information sharing, and the House of Representatives' passing CISPA also seeks to set up a framework for collating data. But the security industry traditionally hasn't needed legislation in the past to share information on a common threat.

Ever since the early days of the antivirus industry, the top researchers have shared information with commercial rivals on new threats. The first person to bag malware gets naming rights, but data is shared because security was more important that making a buck. This El Reg hack wonders if a similar system might work better than a government mandated one for cybersecurity. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.