Business community open to cybersecurity legislation

Last fall, cybersecurity legislation champion Sen. John Rockefeller (D-W.V.) wrote a letter to the 500 largest companies in the United States, querying their CEOs on their cybersecurity practices and views. Now, a report outlining findings from the responses shows a majority in favor of government action – but with caveats.

Rockefeller’s letter came after Congress failed to pass the Cybersecurity Act of 2012. Lawmakers were divided over certain measures, such as programs being voluntary or compulsory for critical infrastructure operators. But the report also suggests that objections from the U.S. Chamber of Commerce, which were a primary hurdle to moving the legislation forward, may not have been shared by as many companies as originally thought.

"Overall, the companies’ responses showed that the private sector is supportive of Congress’s interest in passing cybersecurity legislation," a Jan. 28 memo to Rockefeller from the Senate Committee on Commerce, Science and Transportation majority staff noted. "Further, in contrast to the Chamber of Commerce’s characterization of the legislation as creating an ‘adversarial relationship’ between the federal government and the private sector, many companies recognized the importance of increased collaboration ... and, consequently, supported the aims of a voluntary federal program for the development of cybersecurity best practices, as envisioned in the legislation."

The memo, which outlined responses from roughly 300 of the 500 companies surveyed, could provide grist for the legislative mill, as the new Congress is expected to take up cybersecurity again sometime this year. The findings bolster the case for taking action and highlight chief concerns and priorities for lawmakers to consider.

"The concerns raised about the legislation were not about whether the government should have a role with respect to cybersecurity, but about the specifics of that role and what impact that role would have on how companies respond to their cybersecurity challenges," the memo noted.

Questions posed to the companies included inquiries on whether and how the companies had adopted best practices, what the role of government should be and what the CEOs’ concerns were.

Specifically, most said they do support cyber legislation – on a voluntary basis. CEOs who responded were particularly interested in information-sharing, best practices and standardized risk assessments. Uncertainties largely centered on implementation, including mandatory requirements that could be inflexible or duplicative of security efforts already in place.

"What this letter does is indicate that the Senate commerce committee now has an additional set of inputs from a broad cross-section of large U.S. companies. It helps further the dialog," said Harriet Pearson, partner in Hogan Lovells’ privacy and information management practice. "This is new Congress; one thing we’re sure of is that cybersecurity will be on the agenda. What everyone is unsure of still is how will the nature of that debate go? There are important players who haven’t weighed in yet, notably the administration. Will it play out to be the same discussion around the same proposals, or will there be new approaches?"

The Obama administration is expected to soon issue a long-awaited executive order. According to The Hill, Sen. Tom Carper (D-Del.) indicated the EO will come later this month, after the State of the Union address. Carper also said he does not expect the same cyber bill to be re-introduced in the new Congress.

A Chamber of Commerce spokesperson directed questions to a blog post from leadership calling for continued conversation on the issue. The Chamber also is voicing ongoing support for information security bills that failed to gain traction last year as well, CISPA and the SECURE IT Act, the latter of which was a Republican-backed response to the bipartisan Cybersecurity Act of 2012.

Posted on Jan. 31, the blog seems to dispute the Senate committee’s stipulation that very few companies actually shared the Chamber’s views.

"The Chamber represents the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations. Over the course of the past three years we have engaged our members with weekly calls to discuss cybersecurity and decide on a workable solution," Bruce Josten, the Chamber’s executive vice president for government affairs, wrote in the blog. "In our view, industry had concerns that the bill would – in practice – establish a new regulatory regime, fostering rigid adherence to rules and procedures rather than fostering the speed and creativity necessary to protect our nation’s infrastructure."

There does seem to be at least one area of consensus, though: the need for action on cybersecurity from Washington, sooner rather than later.

"We need to focus on legislation that can make a difference right away – improvements to information sharing and other effective measures that have earned broad stakeholder support," Josten wrote.