The current winter of discontent in the U.S. Congress over federal finances does not bode well for cooperation in other areas. Yet legislators push on, and among top Congressional priorities for 2013 is the enactment of legislation regarding the role of the federal government in dealing with national cybersecurity problems.
A key issue — still — is how much control the federal government should exercise when working with businesses to protect the Internet. On January 30, in an effort to show significant business support for legislation, Senator Jay Rockefeller (D-W.Va.) released results of a survey of Fortune 500 companies conducted by the Senate Commerce Committee at Rockefeller’s request last September — shortly after cybersecurity legislation failed to pass the Senate.
“The companies’ survey responses will be a great resource, as we refine much-needed cybersecurity legislation to improve and deepen the collaboration between our government and private sector,” Rockefeller said.
The Senate Commerce Committee report on the survey purports to show strong business support as a counter to the resistance that emerged to the 2012 Senate bill, especially the strong opposition from the U.S. Chamber of Commerce.
“In contrast to the Chamber of Commerce’s characterization of the legislation as creating an ‘adversarial relationship’ between the federal government and the private sector, many companies recognized the importance of increased collaboration between the private sector and the federal government and, consequently, supported the aims of a voluntary federal program for the development of cybersecurity best practices, as envisioned in the legislation,” the committee report said.
At several other places in the report, the committee criticized the Chamber for its role in lobbying against legislation last year.
‘Smoke and Mirrors’
“The committee represented the report as showing substantial business support, but the report is mainly smoke and mirrors and is really misleading,” David Inserra, research assistant for national security at the Heritage Foundation, told the E-Commerce Times.
The business community still favors legislation which establishes a federal mechanism for monitoring the Internet, helps to protect critical infrastructure such as electric, telecom and transport systems, and includes provisions for having businesses share cyberproblem and breach information with the government on a voluntary basis. Businesses, however, also want legal protections for any information they disclose to the government.
What troubles Inserra is that the Commerce Committee portrayed the Senate bill as featuring a voluntary approach when, in fact, he argued it allows the federal government to institute mandates and regulations on business.
“The rub is that Senator Rockefeller’s approach is not voluntary, and as a result is not really collaborative,” Inserra said. “A section of the proposed 2012 Cybersecurity Act clearly states that critical infrastructure regulators may adopt the cybersecurity practices as mandatory requirements. In addition, the bill would have forced government regulators to explain themselves to Congress if they do not make the practices mandatory. That’s a strong incentive to just go ahead and make the standards mandatory.”
Inserra found what he termed some significant flaws in the Commerce Committee report. “For starters, only 300 out of 500 companies responded. What about the other 200 companies? The details of the report show that 49 responses focused specifically on public-private cooperation and concerns about regulation. Of those, at least 34 are opposed to the Senator’s approach, or support it only if the standards are voluntary,” he said.
Cybersecurity and Business
Where does the business community stand right now as the cybersecurity debate looms?
Even before Sen. Rockefeller released the Commerce Committee results in late January, The Business Roundtable issued its own cybersecurity report on January 9, 2013.
“Safeguarding America’s strategic information systems, most of which are privately owned and operated, is a top priority for the CEOs of the Business Roundtable, who lead major U.S. companies operating in every sector of the economy,” Liz Gasster, vice president of information and technology at the Business Roundtable, told the E-Commerce Times.
To a large degree, member CEOs of the Roundtable register the same findings as represented by the Commerce Committee survey in that they take cybersecurity seriously, have developed practices to protect the infrastructure they own and operate, and want to see a stronger response from — and greater coordination within — the federal government in terms of protecting strategic U.S. information assets, Gasster said. “Business leaders support a greater role for government, particularly when it comes to meaningful information sharing with the private sector. They also want strong liability and privacy protection integrated into any information sharing framework,” she added.
However, in a statement the Roundtable issued when it released its report, the group called for a “reset” in the cybersecurity debate, “to avoid a governmentally dominated approach heavy with regulation.” The group noted at the time that President Obama was preparing an executive order that would “expand federal agencies’ authority in the cybersecurity realm.” The president issued that order this week.
Business leaders believe “a true public-private collaboration would be more effective than a mandated, top-down regulatory approach,” said Mike Manchisi, group executive of MasterCard Worldwide’s global processing business, and chair of the Roundtable’s information technology committee.
As for the U.S. Chamber of Commerce, its views are largely unchanged. In response to a query from the E-Commerce Times, manager of media relations Jamie Glick provided a statement from Bruce Josten, executive vice president for government affairs.
Voluntary Cooperation Is Key
Josten said that even though the Chamber supported many of the provisions in the 2012 Senate proposal, “in our view, industry had concerns that the bill would, in practice, establish a new regulatory regime, fostering rigid adherence to rules and procedures rather than fostering the speed and creativity necessary to protect our nation’s infrastructure.”
The Chamber did endorse other legislative approaches that were less burdensome and provided incentives for business participation in cybersecurity activities, he noted.
While the Senate Commerce Committee mentioned that a “handful” of business groups opposed the 2012 Senate bill, Josten noted that the Chamber represents more than three million businesses of all sizes and various sectors of the economy. “The Chamber urges the new Congress to move forward and stop looking back. We need to focus on legislation that can make a difference right away — and improvements to information sharing and other effective measures that have earned broad stakeholder support,” he said.
In that vein, Sen. Rockefeller and several other Democratic senators tossed a new proposal into the legislative hopper on January 28, which they called the Cybersecurity and American Cyber Competitiveness Act of 2013, (S. 21). The proposal appears to shed references to mandates or regulations.
“But I am not putting much credence in that proposal,” Inserra said. “For one thing it’s really a ‘sense of the Senate’ resolution rather than a realistic legislative proposal. For another, it’s awfully vague. And as we know with these bills, the devil is in the details.”