7 Questions for CEOs on IT SecuritySenator Lobbies Big Business to Back Cybersecurity Act
Sen. Jay Rockefeller wonders whether the chieftains of corporate America - the chief executives of the Fortune 500 companies - agree with the United States Chamber of Commerce's opposition to cybersecurity legislation before the Senate.
The West Virginia Democrat, who chairs the Senate Committee on Commerce, Science and Transportation and is a cosponsor of the Cybersecurity Act of 2012, suggests that the heads of influential corporations may be at odds with the Chamber, a position that has helped persuade nearly all Republican senators to block a vote on the bill and preventing its passage [Senate Votes to Block Cybersecurity Act Action].
This private sector-led approach strikes me as one that companies would want to have codified in statute, rather than risking reactive and overly prescriptive legislation following a cyber disaster.
"I would be surprised to learn that many other American companies, most of which recognize that what is good for their bottom lines is also good for the country's national and economic security, are as intransigently opposed to our cybersecurity legislative efforts as the Chamber of Commerce has indicated they are," Rockefeller writes in a letter he sent CEOs at Fortune 500 companies.
The bill would establish a process for government and business to develop jointly IT security practices to secure the mostly privately owned IT networks that run the nation's critical infrastructure and which businesses could voluntarily adopt.
Executive Order: Close to Completion
Because of Senate inaction, the Obama administration is expected to issue an executive order to establish a process to develop those voluntary IT security standards [WH Moves Closer to Issuing Infosec Executive Order]. The executive order - which Homeland Security Secretary Janet Napolitano told Congress "is close to completion," according to a published report - would be based on elements of the Cybersecurity Act.
Rockefeller, in the letter for the corporate CEOs, raises a great point: Why aren't major business groups backing voluntary IT security standards? He writes:
"For reasons I do not understand, the Chamber of Commerce and other businesses' lobbying groups opposed our plan to create a voluntary program that would empower the private sector to collaborate with the federal government to develop dynamic and adaptable voluntary cybersecurity practices for companies to implement when they see fit.
"This private sector-led approach strikes me as one that companies would want to have codified in statute, rather than risking reactive and overly prescriptive legislation following a cyber disaster."
Opponents of voluntary standards, including the Chamber, say they fear they could evolve into regulations that business would have no choice but to adopt. "The Chamber believes S. 3414 could actually impede U.S. cybersecurity by shifting businesses' resources away from implementing robust and effective security measures and toward meeting government mandates," the Chamber says in a message it sent senators days before the vote to stop a filibuster on the measure failed.
The 7 Questions
Rockefeller, among the first of a growing list of senators to call on President Obama to issue an executive order [see A Cybersecurity Dream Act Alternative], says he wants to understand the CEOs' views on cybersecurity, asking them in his letter:
- Has your company adopted a set of best practices to address its own cybersecurity needs; and, if so, how were these cybersecurity practices developed?
- Were they developed by the company solely or outside the company?
- When were these cybersecurity practices developed, how frequently have they been updated and does the company's board of directors or audit committee keep abreast of these developments?
- Has the federal government played any role in developing these cybersecurity practices?
- What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they choose?
- What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation's cyber vulnerabilities exist?
- What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country's most critical cyber infrastructure?
Most CEOs of large organizations are pragmatic types, and it will be interesting to see whether they view a government-business collaboration to develop best IT security practices as a reasonable approach that won't lead down a slippery slope toward regulation, as seen by dogmatic lawmakers and lobbyists.