March 8, 2011


William Jackson, Government Computer News, 03/08/2011

A coalition of major business groups and a civil liberties organization is releasing a report Tuesday warning Congress against strong cybersecurity mandates on businesses, instead encouraging lawmakers to develop private-sector incentives and consider changing surveillance statutes.

The report by the Business Software Alliance, the Center for Democracy and Technology, the U.S. Chamber of Commerce, the Internet Security Alliance and Tech America contains recommendations for businesses and the executive branch as well as Congress. It comes as the Senate awaits feedback from the White House on what kind of legislation it wants, and as the House continues to study its options.

The groups conclude that Congress should not impose new cybersecurity standards on the private sector, but rather the government can “serve an important security function by funding independent evaluations of the existing and emerging standards for their security effectiveness and applicability, and by working with industry to develop profiles of existing standards.”

The report points out that businesses — which control most of the important computer network infrastructure — are driven by economic motives, while the government is focused on broader security concerns. “If targeted regulatory action to bridge these differences is considered, it should be undertaken with caution and in consultation with affected companies to avoid unintended consequences,” it concludes.

Lessons From Previous Measures

A series of comprehensive bills that advanced through Senate committees last year managed to increasingly win the favor of business groups as they were revised. But some organizations have taken issue with provisions that would have created new security standards, even if written in conjunction with the corporate world.

The report recommends that the government develop a “menu” of incentives for businesses to bolster security, including tax breaks; grants for research and development, equipment purchases and training; the expansion of a 2002 law (PL 107-296) that provides liability protections to manufacturers of security products; and the fostering of a cybersecurity insurance market.

Most of those incentives would require congressional action, and some in Congress have said there is little appetite for potentially costly incentives, given the anti-spending momentum on Capitol Hill.

Lawmakers and the private sector have also been wrestling with how to nurture information sharing between the government and businesses on cyber threats. The report recommends against a government “clearinghouse” that would process information it receives and disseminate it to network owners and operators, saying a “top-down” approach would not work as well as one that encourages businesses to be full participants out of self-interest.

Liability protections for companies that share cybersecurity information with the government is one possible approach, the groups say. Another consideration is the range of surveillance laws that allow the government to collect cybersecurity-related information.

“While current law provides substantial authority to collect, use and disclose communications, including for self-defense purposes, it does not provide explicit authority to do the same for the defense of others,” the report states. “Further inquiry is needed to determine exactly what information needs to be shared, but where there are legal barriers to necessary information sharing, it may be necessary for Congress to create a very narrow exception to the surveillance laws to permit such disclosures.”

While the groups support government standards that limit its own purchases to authorized dealers and re-sellers, it recommends that lawmakers keep in mind the global nature of the industry before placing strict requirements on what the government will buy. In some versions of last year’s Senate legislation, the government would have developed security requirements for products it purchases.

In addition, according to the report, Congress should make federally funded cybersecurity research and development more attractive to companies by “improving the ownership of licensing and intellectual property it generates.”

In the Senate, the leaders of the Homeland Security and Governmental Affairs Committee have reintroduced cybersecurity legislation (S 413) to pick up where they left off last year, with a measure that passed their committee and was merged with a Senate Commerce, Science and Transportation-passed bill. But the compromise bill never made it through the whole chamber.

The Senate has been awaiting guidance from the White House, which had indicated it would weigh in on legislative proposals early in 2011. And House Speaker John A. Boehner, R-Ohio, has asked Rep. William M. “Mac” Thornberry, R-Texas, to lead the coordination of the House’s cybersecurity effort with the aim of producing legislation.