Seeking to overcome opposition from the US Chamber of Commerce and other business groups to a cybersecurity bill, Sen. Jay Rockefeller (D) of West Virginia took the unusual step Wednesday of writing the CEOs of the 500 largest US companies to request their views on cybersecurity and the legislation aimed at protecting the nation’s critical infrastructure from computer attacks.
Senator Rockefeller wrote a day after two other Senate Democrats, Chris Coons of Delaware and Richard Blumenthal of Connecticut, wrote a joint letter to President Obama calling on him to issue an executive order aimed at protecting critical infrastructure from cyberattack. Rockefeller and Sen. Diane Feinstein (D) of California also have called for presidential action.
Speculation that the president might be weighing such an order emerged less than a week after the Senate on Aug. 2 failed to pass cybersecurity legislation, effectively filibustering the bill by falling short (52-46) of the 60 votes needed to cut off debate.
Frustration has grown on Capitol Hill, in no small part due to explicit warnings about the growing cyberthreat from the nation's top military leaders, Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, and Gen. Keith Alexander, director of the National Security Agency, who also leads the Pentagon's new US Cyber Command.
"The cyberthreat is real and demands immediate action," General Alexander wrote in a letter to Senate Majority Leader Harry Reid in late July. "The time to act is now; we simply cannot afford further delay."
Recipients of Rockefeller’s letter included Virginia Rometty, CEO of IBM, as well as the chiefs of ExxonMobil, Wal-Mart, General Electric, Ford and big utility companies. But the mailing list also sent it to many company chieftans whose cybernetworks are unlikely to be vital to the nation's welfare.
While Rockefeller has in the past polled small groups of businesses, it was apparently the first time detailed views on this subject were being requested en masse. Responses to such letters are purely voluntary, but usually receive thoughtful replies, according to a spokesman for the Senate Commerce, Science and Transportation committee where Rockefeller serves as chairman.
Rockefeller's letter appeared aimed at building an independent assessment of business viewpoints that might defuse lobbying that many blamed for the failed vote.
"I am writing to our country's five hundred largest companies because the filibuster of the legislation in the Senate was largely due to opposition from a handful of business lobbying groups and trade associations, most notably the United States Chamber of Commerce," Rockefeller wrote. "I would like to hear more – directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of Beltway lobbyists."
The letter includes eight questions including insight into whether cybersecurity best practices have been adopted, where they come from, and what concerns, if any, the company might have in working with the federal government in a voluntary program that includes information sharing on cyberthreats.
"I would be surprised to learn that many other American companies," he continues, "are as intransigently opposed to our cybersecurity legislative efforts as the Chamber of Commerce has indicated they are."
Chamber officials have said cybersecurity legislation would inevitably devolved into a "government-managed process," wrote R. Bruce Josten, executive vice president of the Chamber in a July open letter to the Senate. Even voluntary federal guidelines would "impose new obligations on participating companies," he wrote.
Amid the Capitol Hill ferment, the White House has appeared to be quite serious about developing an executive order to boost cybersecurity in the absence of congressional action and amid public calls for action.
One possible indication the president might be willing to take such action is a 19-page PDF document circulating on the Internet that appears to be a draft document detailing steps the government could take on its own if Congress doesn't act.
According to that document, two coordination centers – one for physical infrastructure and another for cyber – would be set up under the Department of Homeland Security. In addition to developing a "near-real time common operating picture for critical infrastructure that includes actionable information about imminent and emergency threats," the document also outlines strategic goals, including an overhaul of government computer systems to "enhance the protection and resilience of critical infrastructure."
Such an executive order, however, could only mandate federal agencies to obey and would work only on a voluntary basis with private business – which actually own and operate 85 percent of the nation's vital networks. The government would share threat information with business – and offer up new "metrics" provided by government agencies to help them protect their systems from cyber attack.
One inducement for private industry to partner with the federal government under the Senate legislation would be immunity from liability in the event of a cyberattack. Any order the president offers can't offer such a guarantee.
Cybersecurity experts are similarly skeptical of any measures that are purely voluntary, noting that voluntary standards put forward by the utility industry and by the federal National Institute of Standards and Technology already exist, yet have done little to bolster cybersecurity.
"We know how to make networks more secure, that's not the issue," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "We have voluntary standards that have been laid out. But we won't be secure until someone has the nerve to require that people use these standards."