Congress Won't Approve Cybersecurity Law Until Attack Compels It to Act, Bayh Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Joyce  

April 3 --Congress is unlikely to approve legislation to safeguard U.S. entities from cyberthreats until an attack debilitates a corporate or government computer system, former Sen. Evan Bayh (D-Ind.) said April 3 at the American Bar Association Section of International Law 2014 Spring Meeting in New York.

Ongoing and continuous attacks on computer networks used by U.S. financial institutions and critical infrastructure installations have not been enough to move Congress, he said.

113th Congress Unlikely to Act

“I think it's not likely there will be legislative action” in the 113th Congress, Bayh predicted. “That's too bad. It will probably take a cyberattack succeeding in some way that significantly harms the country before we'll be able to reconcile the debate in Washington about legislation,” Bayh, who served on the Senate's Select Committee on Intelligence and is now on the Central Intelligence Agency's advisory board, said.

David Laufman of the Law Offices of David H. Laufman, PLLC, in Washington, agreed with Bayh that enactment of cybersecurity legislation during the 113th Congress is unlikely. Laufman is a former Department of Justice attorney.

He said that if any cybersecurity legislation is approved, it would likely create federal data breach notification requirements. Companies operating on a national scale must comply with varying notification regimes imposed by 46 states and the District of Columbia, he said.

The only government action that might be taken to enhance cyberdefenses in 2014 will be limited to what President Barack Obama can accomplish by executive order, Bayh, who is a partner at McGuireWoods LLP in Washington, said.

And if Congress waits until an attack to approve cybersecurity legislation, “you're likely to get some mandatory standards that will make what's been proposed, at least right now, pale in comparison. Because we always way overreact once we've been attacked, and both sides need to get that in their minds, because that's what is coming,” Bayh said.

Call to End Political Standoff

The former senator, who also served as Indiana's governor, urged politicians of both major political parties and all ideologies to work toward legislative initiatives enjoying bipartisan support before a cyberattack compels action.

“And so my friends on the Republican side, and I have many of them, need to figure out how they can resolve their concerns on behalf of the business community. And my fellow Democrats, who tend to be more sensitive to the point of view of the trial bar and shareholder class actions and things like that, need to figure out how to reconcile those concerns,” Bayh said.

“We see where the concentric circles overlap and get on with this. Because right now we're just at a standoff and both sides are going to end up suffering,” he said.

In the absence of federal legislation the Obama administration Feb. 12, 2013, issued Executive Order 13636, which attempts to improve the security of U.S. critical infrastructure through voluntary efforts of private-sector infrastructure owners and operators .

Voluntary, Private-Sector Driven Standards?

Because Congress has not acted to improve cybersecurity and deter attacks, other panelists said industrial enterprises may voluntarily develop standards on their own to safeguard their assets.

Panelists noted the National Institute of Standards and Technology final cybersecurity framework, which was issued in February as part of the action authorized by Obama's executive order, provides a voluntary, risk-based framework developed with private-sector input to address and manage cybersecurity risks while trying to minimize regulatory burden

Laufman described the NIST framework as a “starting point.”

Joel Brenner, the former inspector general of the National Security Agency, cited a list of 20 critical security controls developed by the SANS Institute, a research and education organization offering computer security training and certification, as another private-sector effort to develop best practices.

Extant Legislation

Cybersecurity legislation (H.R. 624), introduced by Rep. Mike Rogers (R-Mich.), would allow federal entities to share cyberthreat information among designated federal operations centers, and would direct certain federal agencies to develop policies and procedures governing the receipt, retention, use and disclosure of non-publicly available threat information.

The bill, the Cyber Intelligence Sharing and Protection Act (CISPA), was approved by the House April 18, 2013 . The Senate Select Committee on Intelligence has not moved on the legislation.

Sen. Jay Rockefeller (D-W.V.) July 24, 2013, introduced S. 1353, which would permit the Commerce secretary to facilitate and support the development of a voluntary set of standards to reduce risks to U.S. infrastructure The bill was referred to the Senate Commerce Committee.


To contact the reporter on this story: Stephen Joyce in New York at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law Privacy and Data Security