Sen. Jay Rockefeller
Ask U.S. companies for their thoughts on cybersecurity and, if you’re Senator Jay Rockefeller (D-WV), you shall receive. Some 300 of the biggest corporations in the country have given the senator their views on proposed cybersecurity legislation that met a bitter defeat last summer—with many voicing support for voluntary collaboration with the federal government, while eschewing a “one-size-fits-all” approach to corporate cyber safeguards.
So say the results of a questionnaire that Senator Rockefeller sent to all CEOs of the Fortune 500 last September, after a Republican-led filibuster blocked the Cybersecurity Act of 2012 from coming to a vote. Rockefeller’s committee released its assessment of those responses—along with a sampling of quotes from the answers he received—as legislators gird for another attempt at getting cybersecurity legislation passed this year.
According to a recent staff memo from the Senate Committee on Commerce, Science, and Transportation, which Rockefeller chairs, “The concerns raised about the legislation were not about whether the government should have a role with respect to cybersecurity, but about the specifics of that role and what impact that role would have on how companies respond to their cybersecurity challenges.”
The 2012 bill met with heavy opposition from lobbyists, particularly the U.S. Chamber of Commerce. In a letter sent to senators last July, the Chamber urged members of Congress “to not complicate or duplicate existing industry-driven security standards with government mandates and bureaucracies, even if they are couched in language that would mischaracterize these standards as ‘voluntary.’ ”
In turn, Rockefeller took the unusual step of soliciting opinions directly from Fortune 500 firms. He inquired about their own cybersecurity practices, as well as their views on the 2012 legislation, and the possibility of a voluntary program to allow the government and private sector to coordinate on best practices.
The query elicited responses from more than 80 percent of the top 100 companies, and approximately 300 responses in total. According to the memo, the staff of the committee’s majority members determined that “the Chamber of Commerce’s vehement opposition to the legislation was not shared by many companies in the private sector.”
All respondents said they have developed practices to protect company infrastructure from attacks, drawing on compliance with existing laws, benchmarking by third-party audit firms, and assistance from trade groups.
Depending on the respondent’s industry, companies also cited their participation in “government programs designed by sector-specific agencies” with regulatory authority, according to the memo, including the Department of Homeland Security, the Department of the Treasury, and the Federal Communications Commission.
“Your concern over the government’s ‘ad hoc’ approach was also shared by companies that provided responses,” the majority staff informed Senator Rockefeller.
Respondent CEOs also voiced support for both collaboration, sans government mandates, and information sharing. “Many companies supported a voluntary program to protect critical infrastructure, so long as it would not become mandatory,” the memo states. And, “nearly every company that provided a thorough response expressed support for more robust, two-way cyber threat information sharing, with greater access to security clearances to ease the process,” the committee staff found.
But corporations expressed wariness, too, about “the potential development of an inflexible, ‘one-size-fits-all’ set of best practices,” the memo states. Financial services and electric-sector companies “in particular expressed concern that their existing regulatory relations would be disrupted.”
Reacting to the findings, a spokesperson for the Chamber continued to voice skepticism about voluntary standards, Reuters reports. "Whether a new cybersecurity program is labeled regulatory or 'voluntary,' the fact is, government officials will have the final word on the standards and practices that industry must adopt, which the Chamber opposes," said Ann Beauchesne, the group’s vice president of national security and emergency preparedness.
The committee, though, sounds ready for another round of legislation. “The concerns with such a program were generally related to the manner in which it would be implemented,” the staff found, “not with the fundamental notion of whether to create it.”
See also: “Calling General Counsel to the Front Lines of Cybersecurity,” CorpCounsel, February 2013.
