U.S. Cybersecurity's Path From Legislative Debate to Executive Action
This is the latest in a series of columns from attorneys at O'Melveny & Myers LLP, examining the intersections of the political and legal worlds in the run-up to Election Day 2012.
Last weeks effective defeat of the proposed Cybersecurity Act of 2012, due to the failure in the Senate to secure the 60 votes needed to cut off a filibuster, appears to the mark the end of this years efforts to enact legislation confronting the threat of cybersecurity to critical U.S. infrastructure. Perhaps inevitably, in an election season the Congress could not choose between two very different visions.
That some action is needed in the realm of cybersecurity is the one thing beyond debate. Over the last year, supporters of various versions of legislation have emphasized that the nations critical infrastructureincluding electrical grids, water stations, and telecommunications systemsis a target for cyberattacks. Indeed, in July, the head of the National Security Agency and the U.S. Cyber Command said that computer attacks on U.S. infrastructure had increased seventeen-fold between 2009 and 2011, and expressed the view that, on a scale of 1-10, U.S. preparedness for a large cyberattack is around a three.
What action should be taken to address this threat, however, sparked sharp partisan disagreement. In the Senate, for example, supporters of the bill backed by the Obama Administration were unable to mollify its opponents concernsthat the provision incentivizing companies to adopt voluntary cybersecurity standards was simply a guise for developing de facto mandatory standards, that the authority to aggregate cyberattack information had been delegated to the wrong agency, and that the bills provisions did not strike the right balance between national security, private innovation and self-governance, and civil liberties.
The Senate may try again in September, but with few legislative days remaining on the congressional calendar, the election looming, and a busy lame duck session in the offing, the more likely outcome is that, following the election, the next administrationwhether led by President Obama or Governor Romneywill address the national cybersecurity problem through executive action.
Because corporate systems will be the primary focus of cybersecurity reforms, it is an ideal time for companies and their in-house counsel to assess the strength of their existing cybersecurity programs. Indeed, for corporate counsel, cybersecurity must figure prominently in any conversation about long-term strategic risks to their companys interests.
An important strategic consideration for an internal assessment is, of course, the form that executive action may take. Consider the following:
1. Transparency and Disclosure
In October 2011, the Securities and Exchange Commission published guidelines regarding the potential need for public companies to publicly disclose cybersecurity risk assessmentsincluding any material breaches of their cyber apparatusif such risk would significantly affect investment decisions. While the SEC has not yet acted to enforce these requirements, the guidelines open the door for the agency to do so.
Unlike other models of executive action on cybersecurity, the SECs disclosure guidance is already in effect. The challenge for companies affected by the guidelines is determining when to disclose and what disclosure is necessary. While companies can avoid enforcement action by disclosing cyber-threats, disclosures may also incur reputational harm and diminish shareholder confidence. Public disclosure of cyberattacks in real time, which the guidelines suggest companies undertake, also often spurs perpetrators of the attacks to accelerate data poaching, leaving the company less time to analyze the attack and contain its damage.
Indeed, the SEC staff has recognized this challenge presented by its disclosure obligations. Given the unpalatable consequences of both public disclosure and noncompliant failure to disclose, the SEC guidelines have the effect, through forced transparency, of incentivizing companies to monitor and minimize cyber-risks. In other words, the best position for a company to be in under the SEC disclosure guidelines is to have few, or even no, material cyber-threats or cyberattacks to report.
It is still unclear whether a companys failure to adopt a rational cybersecurity policyeither by lacking such a policy entirely, or by implementing obviously subpar measurescould trigger agency enforcement under the guidelines. However, companies whose disclosures indicate an awareness of material cyber-threats, but which do not take proactive steps to secure their infrastructure against such threats, may expose themselves to not only agency scrutiny, but also shareholder suits and other litigation risks.
2. Power of the Purse
In recent years, the federal procurement budget for government contracts with private vendors has been as high as $460 billion, and the awarding of federal contracts has often been conditioned on contractors implementation of security standards in IT networks used for the contracted projects. The Senate has already heard testimony urging the use of procurement power to move vendors to more robust cybersecurity protections, and the Office of Management and Budget is currently pondering revisions to its cybersecurity guidelines for federal IT systems. Following this approach, the executive branch might argue that national security behooves government suppliers to protect the value chain leading to the federal government from unwarranted exposure to cyber-attacks, and might require government vendors to implement cybersecurity standards as part of their performance of federal contracts.
3. Government Standards
In 2013, the executive branch may move on standards, whether mandatory or voluntary. Government agencies or their delegates currently create an overlapping patchwork of sector-specific cybersecurity standardsexamples include the Federal Financial Institutions Examination Councils suggested cybersecurity requirements for depository institutions in banking and finance, the Federal Energy Regulatory Commissions cybersecurity standards for the energy sector, and the Nuclear Regulatory Commissions cybersecurity guidance for nuclear power plants. The next administration may consider consolidating such standards setting in one agency, tasked solely with protecting critical infrastructure networks across sectors, as was contemplated by the Senate bill. Of course, the form of those standards would likely depend on the same issues that surrounded the bills standards-setting provisionon whether the standards would be voluntary or de facto mandatory, and whether the standards-setting process would allow for industry input.
4. Voluntary Multi-Stakeholder Consensus
An executive order could task administrative agencies with coordinating voluntary, multi-stakeholder groups to set security standardsin keeping with the tradition of open and participatory Internet governance. For example, the National Institute of Standards and Technology, the U.S. Commerce Department agency that promulgates security standards for government agencies, currently engages in such open, multi-actor standards setting as part of that process, allowing it to draw on expertise from private industry, academia, and government scientists. Because the resulting standards represent a consensus among the tech community, they are often voluntarily adopted by industry players. Executive action could opt for this model of controlled self-governance, inviting companies to shape the substance of future cybersecurity standards.
5. Operative Standards of Care
The 2012 presidential election will inform, but not end, the debate over the cybersecurity of U.S. infrastructure. As ongoing disclosures clarify the SEC guidelines exact ramifications, and as companies await the executive branchs next move, corporate counsel are well-advised to determine their own cybersecurity best practices. Indeed, a recent study by PricewaterhouseCoopers found that 43% of corporate executives from 130 countries had confidence in their security protocols, but only 13% of those executives had implemented a cybersecurity strategy and were aware of recent breaches to their companies networks. For those not in the 13% percent, it is an ideal time to consider how their cybersecurity standards would fare under different forms of executive action.
Marty Dunn is a partner at OMelveny & Myers LLP and a member of the firms corporate finance/capital markets practice. Jonathan Sallet is a partner and a member of the firms integrated legal strategies practice. Jennifer Chang is an associate at the firm. All three attorneys practice in OMelvenys Washington, D.C. office. The authors would like to thank summer associate Ravi Doshi for his assistance with this article.
See also: "A Long, Hot Summer for Corporate Cybersecurity," CorpCounsel, August 2012.