Feeds

Republican filibuster blocks Senate Cybersecurity bill

Online security includes abortion rights it seems

High performance access to file storage

The latest attempt by the US government to ensure some kind of security standards for its critical infrastructure has failed, with Senate Republicans having blocked legislation over concerns at over-regulation of business and the weighing-down of the bill with useless ammendments.

"Despite the President’s repeated calls for Congress to act on this legislation, and despite pleas from numerous senior national security officials from this Administration and the Bush Administration, the politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks," said the White House in a statement.

The US Cybersecurity Act 2012 originally called for mandatory security standards to be enforced for companies forming the US national critical infrastructure – a rather nebulous term used to cover power, communications, water and the other stuff that makes life relatively safe and bearable. The government only has oversight of around 20 per cent of this, with private companies running the rest.

After the Republicans enforced a filibuster, the bill failed to meet the 60 votes required at a 52-48 split, with five Republicans and five Democrats crossing the floor. The US Chamber of Commerce, a lobbying group which was in the vanguard of opposition to the bill, applauded the vote.

"While we thank the co-sponsors for their efforts on the issue of cybersecurity, the legislation voted down today would have given the federal government too much control over what actions the business community could take to protect its computers and networks," Ann Beauchesne, its VP of National Security told El Reg in an emailed statement

Owing to the peculiar nature of the US legislative system, various irrelevant amendments were tacked onto the plan, including two to limit abortion, a motion to limit the sale of high capacity gun magazines, and an amendment by Senate Minority Leader Mitch McConnell (R-Kentucky) to repeal the Affordable Care Act.

The bill was watered down to down to make security standards voluntary but that wasn't enough to appease critics. The legislation also worried civil liberties groups with its lack of privacy protections, although these were in part addressed.

"Regardless of today's vote, the issue of cybersecurity is far from dead,” said Michelle Richardson, ACLU legislative counsel, in a statement. "When Congress inevitably picks up this issue again, the privacy amendments in this bill should remain the vanguard for any future bills. We'll continue to work with Congress to make sure that the government’s cybersecurity efforts include privacy protections. Cybersecurity and our online privacy should not be a zero sum game."

The failure of the bill will leave many in the security industry seriously concerned. At last month's Black Hat and DEFCON meetings, current and former government representatives warned that the situation for the US in cybersecurity terms was dire. General Keith Alexander, director of the NSA and head of US Cyber Command, called for the hacking community to help keep America safe.

Based on what attendees were telling El Reg, the security community is perfectly happy to share information with the government, so long as it's a two-way street. The most common complaint is that government wanted all their hacks, but offered nothing in return when it came to locking down anyone else's systems.

The Cybersecurity Act would have formalized some kind of information sharing, and the House of Representatives' passing CISPA also seeks to set up a framework for collating data. But the security industry traditionally hasn't needed legislation in the past to share information on a common threat.

Ever since the early days of the antivirus industry, the top researchers have shared information with commercial rivals on new threats. The first person to bag malware gets naming rights, but data is shared because security was more important that making a buck. This El Reg hack wonders if a similar system might work better than a government mandated one for cybersecurity. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.