Feeds

Republican filibuster blocks Senate Cybersecurity bill

Online security includes abortion rights it seems

Beginner's guide to SSL certificates

The latest attempt by the US government to ensure some kind of security standards for its critical infrastructure has failed, with Senate Republicans having blocked legislation over concerns at over-regulation of business and the weighing-down of the bill with useless ammendments.

"Despite the President’s repeated calls for Congress to act on this legislation, and despite pleas from numerous senior national security officials from this Administration and the Bush Administration, the politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks," said the White House in a statement.

The US Cybersecurity Act 2012 originally called for mandatory security standards to be enforced for companies forming the US national critical infrastructure – a rather nebulous term used to cover power, communications, water and the other stuff that makes life relatively safe and bearable. The government only has oversight of around 20 per cent of this, with private companies running the rest.

After the Republicans enforced a filibuster, the bill failed to meet the 60 votes required at a 52-48 split, with five Republicans and five Democrats crossing the floor. The US Chamber of Commerce, a lobbying group which was in the vanguard of opposition to the bill, applauded the vote.

"While we thank the co-sponsors for their efforts on the issue of cybersecurity, the legislation voted down today would have given the federal government too much control over what actions the business community could take to protect its computers and networks," Ann Beauchesne, its VP of National Security told El Reg in an emailed statement

Owing to the peculiar nature of the US legislative system, various irrelevant amendments were tacked onto the plan, including two to limit abortion, a motion to limit the sale of high capacity gun magazines, and an amendment by Senate Minority Leader Mitch McConnell (R-Kentucky) to repeal the Affordable Care Act.

The bill was watered down to down to make security standards voluntary but that wasn't enough to appease critics. The legislation also worried civil liberties groups with its lack of privacy protections, although these were in part addressed.

"Regardless of today's vote, the issue of cybersecurity is far from dead,” said Michelle Richardson, ACLU legislative counsel, in a statement. "When Congress inevitably picks up this issue again, the privacy amendments in this bill should remain the vanguard for any future bills. We'll continue to work with Congress to make sure that the government’s cybersecurity efforts include privacy protections. Cybersecurity and our online privacy should not be a zero sum game."

The failure of the bill will leave many in the security industry seriously concerned. At last month's Black Hat and DEFCON meetings, current and former government representatives warned that the situation for the US in cybersecurity terms was dire. General Keith Alexander, director of the NSA and head of US Cyber Command, called for the hacking community to help keep America safe.

Based on what attendees were telling El Reg, the security community is perfectly happy to share information with the government, so long as it's a two-way street. The most common complaint is that government wanted all their hacks, but offered nothing in return when it came to locking down anyone else's systems.

The Cybersecurity Act would have formalized some kind of information sharing, and the House of Representatives' passing CISPA also seeks to set up a framework for collating data. But the security industry traditionally hasn't needed legislation in the past to share information on a common threat.

Ever since the early days of the antivirus industry, the top researchers have shared information with commercial rivals on new threats. The first person to bag malware gets naming rights, but data is shared because security was more important that making a buck. This El Reg hack wonders if a similar system might work better than a government mandated one for cybersecurity. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.