Corporate Counsel
ALM Properties, Inc.
Page printed from: Corporate Counsel

Back to Article

Select 'Print' in your browser menu to print this document.

A Long, Hot Summer for Corporate Cybersecurity

Catherine Dunn

Corporate Counsel

08-07-2012


During a summer in which the head of the National Security Agency revealed that cyberattacks on business and government have increased 1700 percent—and in which said NSA chief openly invited hackers to join forces with the U.S. government at a conference in Vegas—so did a highly anticipated piece of cybersecurity legislation meet a bitter end. Both of which should be turning the heads of corporate risk officers.

On Thursday, a filibuster by Senate Republicans blocked the Cybersecurity Act of 2012 at a critical juncture, killing the possibility of a full vote before the Congress’s August recess—and quite possibly ending the bill’s chances at passage for the rest of the year.

The bill called for new standards to secure computer networks across critical infrastructure industries—including energy and banking. Sponsored by an Independent and a Republican, the sponsors had already revamped the legislation in an effort to attract more Republican votes. And its defeat has prompted laments from the White House, lawmakers, and a host of security experts.

So how did a bill with so many supporters end up . . . nowhere?

Objections raised by the U.S. Chamber of Commerce played a major role, as a story by Ken Dilanian in the Los Angeles Times illustrates. The Chamber opposed mandatory security standards for critical infrastructure companies, which were in an earlier version of the bill. Even when those requirements were scaled back, however (leading to complaints that the bill had lost its teeth), opposition from the Chamber continued, according to the Times:

"The chamber believes [the bill] could actually impede U.S. cybersecurity by shifting businesses' resources away from implementing robust and effective security measures and toward meeting government mandates," Bruce Josten, the Chamber's chief lobbyist, wrote in a letter to senators Tuesday.

To U.S. intelligence officials, that made no sense: "It's incomprehensible why they are opposing it," White House counter-terrorism advisor John Brennan told the L.A. Times. "It's not grounded in facts nor in national security concerns."

Among senators, the bill’s defeat also led to harsh words. As The New York Times laid out in a succinct recap, CSA co-sponsor Senator Joe Lieberman (I-Connecticut) sparred with his longtime ally Senator John McCain (R-Arizona), who led the opposition. Meanwhile, the CSA’s other co-sponsor, Republican Senator Susan Collins of Maine, called the loss a “shameful day” and said she was disappointed in the Senate’s lack of urgency on the matter.

“I cannot think of another area where the threat is greater and we are less prepared,” Collins said, according to the NY Times.

Plenty of others echoed similar sentiments.

Representative Mac Thornberry, a Republican from Texas and vice chairman of the House Armed Services Committee, called the Senate’s inability to move ahead with a vote “particularly disappointing.” In a blog post for The Hill, he wrote:

Unfortunately, we do not dictate the terms of the cyber war we are in, and the tempo of the fight does not slow down to wait for Congress to act. Cyber threats pose a significant risk to our national security as well as our nation’s critical infrastructure and our economy. Every day, government and private networks are being attacked. Valuable information is being stolen from American companies, making them weaker and less competitive.

In an opinion round-up of three Silicon Valley experts, Mark Seward, senior security director at the data security firm Splunk, told NYT’s Bits blog that passing cybersecurity legislation is the difference between “whether we whether we want to be a third world country or a first world country.” He continued:

The resilience of our infrastructure’s ability to resist an attack is the mark of a first world country. Not being able to trust that water is going to come out of the tap, or that when I light my stove natural gas is going to come out, is a real problem in a first world country. A cyberattack could literally mean that the things we most take for granted won’t be available.

And over at The Huffington Post, former NSA computer scientist Dan Aitel—now the CEO of cybersecurity firm Immunity Inc.—tackled two big arguments against the bill:

1. It Creates an Unfair Cost for Businesses: . . . Private companies will have to adopt these defensive solutions any way to protect their own operations and profits—and, believe me, the downtime, damage and litigation costs resulting from a sophisticated cyber attack far outweigh the expense of securing your networks to begin with.

2. The Private Sector Can Do It On Its Own: . . . On some issues that might make sense, but not when it comes to defending against hostile nation-states. No company is able to shoulder the burden of anticipating a sophisticated global cyberattack from countries ranging from China to Iran.

In the meantime, it appears the White House might not wait around for a legislative solution. As The Hill reports, the Obama Administration is considering an executive order, which could take up key points in the bill, such as requiring regulated industries to meet certain security standards. "You don't need new legislative authority to do that," Jim Lewis, a senior fellow at the Center for Strategic and International Studies, told The Hill.