Cybersecurity bill: Why senator is taking his case straight to top CEOs
Amid opposition from business groups to a cybersecurity bill, Sen. Jay Rockefeller is writing CEOs of the nation's top 500 companies for their views 'without the filter of Beltway lobbyists.'
(Page 2 of 2)
Rockefeller's letter appeared aimed at building an independent assessment of business viewpoints that might defuse lobbying that many blamed for the failed vote.Skip to next paragraph
Subscribe Today to the Monitor
"I am writing to our country's five hundred largest companies because the filibuster of the legislation in the Senate was largely due to opposition from a handful of business lobbying groups and trade associations, most notably the United States Chamber of Commerce," Rockefeller wrote. "I would like to hear more – directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of Beltway lobbyists."
The letter includes eight questions including insight into whether cybersecurity best practices have been adopted, where they come from, and what concerns, if any, the company might have in working with the federal government in a voluntary program that includes information sharing on cyberthreats.
"I would be surprised to learn that many other American companies," he continues, "are as intransigently opposed to our cybersecurity legislative efforts as the Chamber of Commerce has indicated they are."
Chamber officials have said cybersecurity legislation would inevitably devolved into a "government-managed process," wrote R. Bruce Josten, executive vice president of the Chamber in a July open letter to the Senate. Even voluntary federal guidelines would "impose new obligations on participating companies," he wrote.
Amid the Capitol Hill ferment, the White House has appeared to be quite serious about developing an executive order to boost cybersecurity in the absence of congressional action and amid public calls for action.
One possible indication the president might be willing to take such action is a 19-page PDF document circulating on the Internet that appears to be a draft document detailing steps the government could take on its own if Congress doesn't act.
According to that document, two coordination centers – one for physical infrastructure and another for cyber – would be set up under the Department of Homeland Security. In addition to developing a "near-real time common operating picture for critical infrastructure that includes actionable information about imminent and emergency threats," the document also outlines strategic goals, including an overhaul of government computer systems to "enhance the protection and resilience of critical infrastructure."
Such an executive order, however, could only mandate federal agencies to obey and would work only on a voluntary basis with private business – which actually own and operate 85 percent of the nation's vital networks. The government would share threat information with business – and offer up new "metrics" provided by government agencies to help them protect their systems from cyber attack.
One inducement for private industry to partner with the federal government under the Senate legislation would be immunity from liability in the event of a cyberattack. Any order the president offers can't offer such a guarantee.
Cybersecurity experts are similarly skeptical of any measures that are purely voluntary, noting that voluntary standards put forward by the utility industry and by the federal National Institute of Standards and Technology already exist, yet have done little to bolster cybersecurity.
"We know how to make networks more secure, that's not the issue," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "We have voluntary standards that have been laid out. But we won't be secure until someone has the nerve to require that people use these standards."