The Senate Armed Services Committee has started a week dense with cyber-security hearings and other cyber concerns with questions about the intent by the White House to take security seriously. Perhaps coincidentally, late last week President Barack Obama met with Chinese President Xi Jinping and reached an understanding of some sort about Chinese spying on U.S. companies.
The Senate is so concerned about White House intentions because the administration was required by last year’s National Defense Authorization Act to create a cyber-defense policy, but so far has failed to deliver one. The lack of a specific policy, coupled with an agreement with China that’s basically a vague set of promises that the United States and China will try not to intentionally spy on each other’s commercial entities, leaves Congress with little to go on. The White House also is saying that if China doesn’t do what it’s supposed to do, the United States will levy sanctions.
Because there is no written agreement with China, and because there’s very little that’s specific, many in Congress are questioning if there’s any kind of enforceable agreement at all. The Senate, meanwhile, is pondering how (and if) to bring back a cyber-security bill sponsored by Senator Richard Burr (R-N.C.) that has stalled due to strong opposition from a number of fronts, but mostly due to concerns that it might violate the Fourth Amendment.
So far there are 22 amendments on the floor for that bill, and one major stumbling block facing Senate Majority Leader Mitch McConnell is how to handle the debate about the amendments. Many of those amendments are being proposed as ways to get past the worst of the privacy concerns currently dogging the cyber-security bill.
There will be additional hearings in the Senate including one with Director of National Intelligence James Clapper. The House Armed Services Committee will hear from Clapper and National Security Agency Director Adm. Michael Roberts about the administration’s stance on cyber-warfare. Part of the difficulty that Congress is having with the hearings is getting a definition of what actually constitutes cyber-warfare.
Adding to the complication with the hearings has been determining an appropriate response if a cyber-attack was detected, which is why the Senate has anxiously been awaiting the policy from the White House.
Meanwhile, the Senate Armed Services Committee did manage to get some agreement with the administration in regards to security, which is that the United States needs more than just a cyber-defense. Administration witnesses agreed that the United States should develop a cyber-offense in addition to a cyber-defense.
Although the government’s posture on cyber-offense or -defense doesn’t really affect most businesses directly, there could be a significant side issue considering the nature of the attacks from China, especially those against major defense contractors. The attacks against defense contractors have taken on the appearance of economic espionage, which would be prohibited under the agreement between China and the United States.
But those same attacks seemed to originate from within Chinese army installations, which would mean that those attacks also could be considered military espionage, which isn’t prohibited. This means that U.S. companies could easily find themselves faced with attacks that seem to originate from the Chinese military, but yielding information that’s then passed along to the Chinese commercial sector.
Washington Ponders Security, Again, but Its Motives Aren’t Clear
This is where the pending cyber-security bill comes into play. The new bill, if passed, allows information-sharing among and between federal entities, but it also allows sharing into the private sector. While it’s clear that this would be helpful in fighting cyber-attacks, privacy advocates worry that too much sharing of private information would allow the government to dig too deeply into their personal lives.
It’s worth noting that in the full text of the bill considerable effort seems to have been taken to include constitutional limits, but whether those limits in the text will be enough to satisfy most of the critics remains to be seen.
What this means, of course, is that the hearings will continue, but whether the result will be a workable cyber-security bill or a cyber-warfare policy from the White House remains to be seen. However, there are some indications on what to expect.
First, the White House isn’t going to deliver a cyber-warfare policy. Congress, despite its histrionics, has no way to compel the administration to deliver one. The administration, which has already demonstrated that it willingly, if not gleefully, ignores Congress, will continue to do so.
It’s also a safe bet that the Senate’s cyber-security bill will never see the light of day, at least not outside the Senate chambers. Even if the bill makes it to the Senate floor, it needs 60 votes to pass it along to the House, and getting all of those votes to agree on a single bill seems unlikely. But even if the Senate does manage to craft a compromise bill that makes it through a floor vote, it still has to get through the House of Representatives.
Considering the dysfunction that’s afflicting the Republican-controlled legislature these days, the passage of the bill without the help of the departing House speaker seems at least as unlikely as any other scenario.
What this means to you is that there will be a lot of attention paid to security, and lots of arm waving and shouting of promises, but no actual action. But then, if you’d wanted action, you’d have voted for a different Congress, right?