The Senate on Wednesday failed to pass cybersecurity legislation that would set voluntary security standards for owners of critical infrastructure, such as dams, energy and water systems.
Senators voted 51-47 in favor of the bill, S 3414, but fell short of the 60 votes needed to move forward with final passage.
“Cybersecurity is dead for this Congress,” Senate Majority Leader Harry Reid, D-Nev., said following the vote. “What an unfortunate thing.”
Sen. Susan Collins, R-Maine, a co-sponsor of the Cybersecurity Act, expressed similar disappointment. “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we’ve done less,” Collins said in a statement.
Senators were at a similar crossroad in August, but some were hopeful that Sen. John McCain, R-Ariz., and other Republicans who strongly opposed the bill would at least vote to move forward and introduce relevant amendments. McCain, who on Wednesday initially expressed a willingness to move forward with the bill if at least five amendments could be introduced, ultimately voted against the bill.
Under the bipartisan bill, critical infrastructure owners would become eligible for certain benefits if they voluntarily certify through a third party that they meet cybersecurity standards. Those benefits would include liability protections in the event of a cyber attack on their systems.
Republicans argued that implementing the bill would be a financial burden to industry. They also opposed the Department of Homeland Security’s role in approving and overseeing cybersecurity standards.
Retiring Sen. Kay Bailey Hutchison, R-Texas, who voted against the bill, suggested that the Senate start over and allow all committees with jurisdiction over cyber to provide their input.
Absent cybersecurity legislation, administration leaders have said the president would move forward with an executive order to improve cybersecurity of the nation’s most critical infrastructure.
Senators said that a draft of the executive order is being circulated. The order is said to include provisions that will establish cybersecurity standards for the 18 critical infrastructure sectors in areas where regulators have existing authority to enforce those standards. The order, however, could not provide liability protections for companies that follow those standards but are attacked.
The Washington Post reported that President Obama signed a secret directive in mid-October, Presidential Directive 20, that explicitly defines how the military will respond to a cyber attack using both offensive and defensive capabilities.