U.S. Cybersecurity's Path From Legislative Debate to Executive Action

This is the latest in a series of columns from attorneys at O’Melveny & Myers LLP, examining the intersections of the political and legal worlds in the run-up to Election Day 2012.

Last week’s effective defeat of the proposed Cybersecurity Act of 2012, due to the failure in the Senate to secure the 60 votes needed to cut off a filibuster, appears to the mark the end of this year’s efforts to enact legislation confronting the threat of cybersecurity to critical U.S. infrastructure. Perhaps inevitably, in an election season the Congress could not choose between two very different visions.

That some action is needed in the realm of cybersecurity is the one thing beyond debate. Over the last year, supporters of various versions of legislation have emphasized that the nation’s critical infrastructure—including electrical grids, water stations, and telecommunications systems—is a target for cyberattacks. Indeed, in July, the head of the National Security Agency and the U.S. Cyber Command said that computer attacks on U.S. infrastructure had increased seventeen-fold between 2009 and 2011, and expressed the view that, on a scale of 1-10, U.S. preparedness for a large cyberattack is around a three.

What action should be taken to address this threat, however, sparked sharp partisan disagreement. In the Senate, for example, supporters of the bill backed by the Obama Administration were unable to mollify its opponents’ concerns—that the provision incentivizing companies to adopt voluntary cybersecurity standards was simply a guise for developing de facto mandatory standards, that the authority to aggregate cyberattack information had been delegated to the wrong agency, and that the bill’s provisions did not strike the right balance between national security, private innovation and self-governance, and civil liberties.

The Senate may try again in September, but with few legislative days remaining on the congressional calendar, the election looming, and a busy lame duck session in the offing, the more likely outcome is that, following the election, the next administration—whether led by President Obama or Governor Romney—will address the national cybersecurity problem through executive action.

Because corporate systems will be the primary focus of cybersecurity reforms, it is an ideal time for companies and their in-house counsel to assess the strength of their existing cybersecurity programs. Indeed, for corporate counsel, cybersecurity must figure prominently in any conversation about long-term strategic risks to their company’s interests.

An important strategic consideration for an internal assessment is, of course, the form that executive action may take. Consider the following:

1. Transparency and Disclosure

In October 2011, the Securities and Exchange Commission published guidelines regarding the potential need for public companies to publicly disclose cybersecurity risk assessments—including any material breaches of their cyber apparatus—if such risk would significantly affect investment decisions. While the SEC has not yet acted to enforce these requirements, the guidelines open the door for the agency to do so.

Unlike other models of executive action on cybersecurity, the SEC’s disclosure guidance is already in effect. The challenge for companies affected by the guidelines is determining when to disclose and what disclosure is necessary. While companies can avoid enforcement action by disclosing cyber-threats, disclosures may also incur reputational harm and diminish shareholder confidence. Public disclosure of cyberattacks in real time, which the guidelines suggest companies undertake, also often spurs perpetrators of the attacks to accelerate data poaching, leaving the company less time to analyze the attack and contain its damage.

Indeed, the SEC staff has recognized this challenge presented by its disclosure obligations. Given the unpalatable consequences of both public disclosure and noncompliant failure to disclose, the SEC guidelines have the effect, through forced transparency, of incentivizing companies to monitor and minimize cyber-risks. In other words, the best position for a company to be in under the SEC disclosure guidelines is to have few, or even no, material cyber-threats or cyberattacks to report.

It is still unclear whether a company’s failure to adopt a rational cybersecurity policy—either by lacking such a policy entirely, or by implementing obviously subpar measures—could trigger agency enforcement under the guidelines. However, companies whose disclosures indicate an awareness of material cyber-threats, but which do not take proactive steps to secure their infrastructure against such threats, may expose themselves to not only agency scrutiny, but also shareholder suits and other litigation risks.

2. Power of the Purse