WASHINGTON -- It is a scenario that many officials in Washington say keeps them awake at night: a cyberattack against critical infrastructure. Many lawmakers believe the nation's vital computer networks are vulnerable to such an event, which they say could lead to the collapse of the banking system, sustained blackouts or even mass casualties. Some have made comparisons to the lack of airport security before the Sept. 11 attacks.
Yet in recent weeks, the prospect of passing major cybersecurity legislation for the first time has grown uncertain. Senators have introduced competing bills amid differences over whether the Department of Homeland Security should be given power to enforce cybersecurity standards at private companies, which own and operate 85 percent of critical infrastructure. Many Republicans and business lobbyists, including the U.S. Chamber of Commerce, oppose legislation with regulations, claiming they would harm companies, while many Democrats say DHS enforcement is the only way to properly address cyber vulnerabilities to critical infrastructure.
Comprehensive cybersecurity legislation has never reached the floor of Congress for a vote. After a year in which numerous government agencies and major corporations revealed that hackers had infiltrated their networks to steal corporate secrets or leak sensitive customer data, many still think this could be the year to pass a cyber bill. Thus far, more than 30 cybersecurity bills have been unveiled on Capitol Hill, emerging from a wide range of committees, including Commerce, Foreign Affairs, Intelligence and Homeland Security.
But privately, several Congressional aides and observers say the debate over cyber legislation has become increasingly partisan and that time is running short to pass legislation in an election year.
In a closed-door meeting with senators this month, the Obama administration showed the potential consequences of inaction by performing a simulated cyberattack in which New York City’s power supply was brought down during a summer heat wave. The simulation was designed to show how the administration’s proposed cyber legislation “would enhance our ability to work with industry to prevent attacks and limit their aftereffects,” John Brennan, assistant to the president for Homeland Security and Counterterrorism, said in a statement.
“It is critical that we strengthen our cybersecurity posture, and we urge Congress to recognize the need for new tools to more effectively prevent and respond to potential cyber attacks on the homeland,” Brennan said.
The debate over cyber legislation comes as a growing number of officials express concerns about terrorists taking advantage of poor cybersecurity within the nation's critical infrastructure. Last week, FBI Director Robert Mueller told a Senate committee that terror groups are becoming more "cyber savvy" and are "using cyberspace to conduct operations."
"While to date terrorists have not used the Internet to launch a full-scale cyber attack, we cannot underestimate their intent," Mueller told the Senate Appropriations subcommittee.
In February, Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), John D. Rockefeller IV, (D-W.Va.), and Dianne Feinstein (D-Calif.) introduced the Cybersecurity Act of 2012, which gives DHS new powers to set cybersecurity standards for private companies operating the nation's critical infrastructure. It also creates ways that the private sector and the federal government can share information about cyber threats, and calls for increasing cybersecurity employees in the federal government.
"That’s the most comprehensive bill and probably the most likely to change behavior in the private sector," said Stewart Baker, a former assistant secretary at the Department of Homeland Security. "Without holding the private sector to a general standard, we haven’t really addressed the hardest issue."
But while the bill calls for cyber regulations, business lobbyists have pressured the bill's authors to include so many exceptions that the latest version "really just papers over the problem," said Alan Paller, director of research at the SANS Institute, a cybersecurity training school.
"It would be like automobile regulations that said 'if the car has more than three wheels, the bill doesn't apply,'" Paller said.
Still, the bill has the support of the White House, which proposed its own cyber legislation last May. Senate Majority Leader Harry Reid said he plans to bring the legislation to the Senate floor for a vote in coming weeks.
The measure faces opposition from Republican senators and industry lobbyists, including the Chamber of Commerce, because of the regulatory power it gives the Department of Homeland Security.
“That’s the part that could sink the whole bill,” said Larry Clinton, president of the Internet Security Alliance, a trade group that promotes the cybersecurity needs of a wide variety of industries.
In response, Sen. John McCain introduced a bill earlier this month that contrasts with legislation introduced by Lieberman, a longtime friend whom McCain once considered as a presidential running mate. McCain's bill, backed by several Republican senators, does not focus on regulation, but instead on increased information sharing between the government and private sector.
“Now is not the time for Congress to be adding more government, more regulation, and more debt - especially when it is far from clear that any of it will enhance our security," Sen. Saxby Chambliss (R-Ga.), a co-sponsor of McCain's bill, said in a statement.
But privacy advocates worry that McCain's bill would make it easier for U.S. intelligence agencies to monitor citizens' emails, and security experts dismiss the proposal as a political tactic to support business interests. Without regulation in cyber legislation, the security weaknesses that exist in critical infrastructure will not be addressed, said James Lewis, a senior fellow with the Center for Strategic and International Studies.
Lewis called the Senate Republicans' bill "national security through faith healing."
"It’s a flop, it’s a bust, it’s a joke," he said.
Unlike regulation, calls for information sharing about cyber threats have greater political census. Currently, the federal government and companies do not share threat data either because the information is classified or because companies fear violating anti-trust law.
Reps. Mike Rogers and Dutch Ruppersberger have sponsored a bill that gives companies and government agencies legal protection to share data on cyber threats. To assuage privacy and civil liberties groups, the measure would only include information pertaining to cybersecurity or national security. In December, the bill sailed through the House Intelligence Committee by a vote of 17 to 1 -- just one day after it was introduced.
Such speed highlights a new sense of urgency among members of Congress, many of whom can recall the consequences of being unprepared on the national security front, Lewis said.
"The one thing you can say about Congress is they've been persuaded that the threat is real," Lewis said. "There’s a sense we don’t want to make the mistake we made in the 1990s about al Qaeda and 9/11."