CEOs Support Voluntary Best PracticesCompanies Concerned About Potential Regulations
A memo from the majority staff of the U.S. Senate Commerce Committee says most chief executive officers from major American corporations, responding to a survey, see a role for the federal government in working with business to develop IT security best practices that critical infrastructure owners could adopt voluntarily.
That conclusion puts the Democratic staffers at odds with the United States Chamber of Commerce and other groups representing big business as well as most congressional Republicans on whether the federal government should have a say on IT security best practices.
Sen. Jay Rockefeller, chairman of the Senate Commerce, Science and Transportation Committee, last September sent letters to the CEOs of 500 of the nation's largest corporations to solicit their comments on the Cybersecurity Act of 2012, a comprehensive legislative package that included provisions to establish processes for business and government to establish voluntary best practices, as well as provide protections for government and businesses to share threat information [see 7 Questions for CEOs on IT Security].
"Companies understand that the cyberthreats we face are real, and they understand that the federal government must play an important role in the nation's cybersecurity moving forward," says Rockefeller, D-W.Va., in a statement that accompanies the memorandum. "The companies' responses will be a great resource as we refine much-needed cybersecurity legislation to improve and deepen the collaboration between our government and private sector."
"Many companies stated that they supported the aims of the legislation, especially the provisions related to increased 'information sharing' between the private sector and the federal government," the memo says. "Further, in contrast to the Chamber of Commerce's characterization of the legislation as creating an 'adversarial relationship' between the federal government and the private sector, many companies recognized the importance of increased collaboration between the private sector and the federal government and, consequently, supported the aims of a voluntary federal program for the development of cybersecurity best practices, as envisioned in the legislation."
Still, the memo says, many companies raised concerns about any new federal program that would set mandatory cybersecurity requirements, create obligations that would impact their ability to address cybersecurity issues in a flexible manner or duplicate efforts already underway. "Although the current version of your legislation set no mandatory requirements, many companies were nevertheless wary of such an approach," the memo's authors write.
A Chamber official, in a statement, says American corporations should be wary. "Voluntary standards sound great in theory, but the devil is in the details," says Ann Beauchesne, Chamber vice president of national security and emergency preparedness. "Whether a new cybersecurity program is labeled regulatory or 'voluntary,' the fact is government officials will have the final word on the standards and practices that industry must adopt, which the Chamber opposes."
Appearing last year before Congress, representing the Chamber, former Homeland Security Secretary Tom Ridge testified that business, not government, knows best how to protect their information networks [see Partisan Showdown over Cybersecurity Bill]. Ridge's testimony was at odds with one of his successors, Secretary Janet Napolitano, who favors the government and business collaborating on developing voluntary standards for the nation's mostly privately-owned critical infrastructure. Ridge said the so-called "light-touch" approach to voluntary standards could easily segue into onerous regulations. "It's a slippery slope that I'm most concerned about," he said.
The memo also points out that, like Rockefeller, many CEOs feel better coordination is needed between the federal government and business to reduce cyber vulnerabilities in the United States. The memo quotes one CEO as saying: "Vast federal resources are devoted to cybersecurity, but the current efforts are fragmented. We recommend the establishment of a public-private collaborative effort on cybersecurity that will combine existing federal requirements under a single coordinated framework. This approach will minimize undue complexity and promote a more agile and effective national cybersecurity response."
The memo quoted CEOs, but not by name, from a global financial company, international conglomerate, national retail chain, healthcare concern and a technology company, backing voluntary best practices.
"Companies' concerns related to the proposed voluntary program were primarily related to the potential development of an inflexible, one-size-fits-all set of best practices, and companies in the financial and electric sectors in particular expressed concern that their existing regulatory relations would be disrupted," the memo states. "Other common concerns included the need to adequately protect the confidentiality of information shared with the federal government during cyber threat assessments, and whether existing critical infrastructure programs, such as DHS's National Infrastructure Protection Plan, would be needlessly duplicated."
Rockefeller did not specifically ask companies for their positions on information sharing, but many CEOs voluntarily proffered their views that they supported increased information sharing between the federal government and the private-sector through legislation.