NEW YORK (CNNMoney) — The House of Representatives, as expected, approved a controversial cybersecurity bill late Thursday, staring down a veto threat. But the fight to protect the United States from a cataclysmic cyber attack is far from over.
The Cyber Intelligence Sharing and Protection Act, which has been revised several times over the past week, allows the government and private companies to share information with one another with the aim of warding off cyber threats.
Companies would be incentivized to voluntarily share information with the government, and the United States could share crucial attack information with companies. Much of that kind of information sharing had previously been banned under existing privacy laws.
The bill passed with bi-partisan support, with 42 Democrats joining 206 Republicans to pass CISPA 248-168. That came in spite of the White House’s threat to veto the bill, citing concerns that the bill’s language doesn’t go far enough to protect citizens’ privacy.
What happens next isn’t exactly clear — except for the fact that no action will likely happen anytime soon. That’s a concern to security advocates and intelligence officials, who stress that the nation remains too vulnerable to cyber threats.
The government’s top cybersecurity advisors widely agree that cyber criminals or terrorists have the capability to take down the country’s critical financial, energy or communications infrastructure.
Such a cyber attack was already launched against Iran in the Stuxnet incident, which significantly delayed Iran’s nuclear program. The worm ordered the centrifuges in an Iranian nuclear facility to spin out of control, ultimately destroying it.
It’s an example of how cyberwarfare is leveling the playing field. A cyber attack would be less difficult to pull off than a 9/11-like attack, considering it could be launched from another country and the attacker could remain anonymous. Yet it could have the same devastating impact if attackers used cyberspace to take over our infrastructure, turn off our electricity, release toxins, or shut down our financial system.
Venezuela, for instance, would never try to attack the United States militarily, but Venezuelan diplomat Livia Antonieta Acosta Noguera launched cyber attacks here in January in an alleged Venezuelan plot to disable American nuclear power plants.
“Not only did Venezuela carry it out, they thought they could get away with it,” said Roger Cressey, senior vice president at security consultancy Booz Allen Hamilton, at a Bloomberg cybersecurity conference held last week. “That says a lot.”
If the threat is evident, the path forward is anything but. Getting CISPA or any comprehensive cybersecurity law passed soon faces many obstacles.
The Obama administration prefers the Senate’s version of the bill, sponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), which takes a regulatory approach. The Senate bill mandates minimum cybersecurity performance standards for private companies that control the nation’s critical infrastructure.
CISPA, or one of several other cybersecurity bills passed in the House this week, would likely to be reconciled with the Senate bill. Yet that bill isn’t expected to even pass the Senate, let alone the House, due to the anti-regulatory mood currently sweeping through Congress.
Some believe that politics will ultimately stall a bill until after the November presidential election.
But other cybersecurity experts closely watching the legislative process expect lawmakers to ultimately come together in the next few months. They believe politicians can rally behind the core elements of the bills, including increased information sharing, enhancing law enforcement’s authority and reform of the existing Federal Information Security Management Act.
“The bill that will eventually reach the president’s desk is not the one that [was passed by] the House,” said Larry Clinton, CEO of the Internet Security Alliance. “That’s understood and expected. But the core issues have broad support, and if a bill addresses all those issues, the president would sign it.”