April 6, 2010


Tim Starks, CQ Today Online News, 04/06/2010

Large corporations and industry groups are finding much to like about new cybersecurity legislation moving through the Senate, and their active support of these bills reflects a widening consensus over the seriousness of the threat.

On Tuesday, Kirsten Gillibrand, D-N.Y., and Orrin G. Hatch, R-Utah, unveiled a draft cybersecurity measure aimed at tying foreign aid to successes in fighting cybercrime. The announcement came with endorsements from Microsoft Corp. and MasterCard Worldwide.

The Senate Commerce, Science and Transportation Committee is scheduled Wednesday to consider far-reaching cybersecurity legislation (S 773) sponsored by Chairman John D. Rockefeller IV, D-W.Va., and Olympia J. Snowe, R-Maine. Earlier versions of that bill drew intense industry criticism, but business groups such as U.S. Telecom and companies such as Verizon Communications Inc. have offered measured public praise for the latest version.

Industry sources said many in the private sector are complying with requests from Rockefeller and Snowe that amendments not be pushed Wednesday and that companies work collaboratively with lawmakers as the bill moves through the Senate.

There are several reasons for this new level of support. President Obama’s embrace of the “public-private partnership” after his cybersecurity review last summer has provided top-level leadership and something for all parties to aim toward, one industry official said. In addition, key lawmakers have intensely studied cybersecurity and now have a better understanding of the issue’s complexities, according to industry officials and others.

Perhaps most importantly, everyone agrees that the threat is growing, prompting businesses to take more of an interest as they increasingly comprehend how lackluster cyberdefenses can affect their bottom line — and as they recognize the need for a government role when it comes to defenses.

‘National Competitiveness’ Issue

“For those of us who have been focusing on this, we have recognized that it’s not just a national security issue,” Hatch said. “It’s an economic issue. It’s a national competitiveness issue. More people are getting focused on it.”

Hatch said he does not know what the prospects are for getting his bill enacted this year, given the deep partisan divisions in Congress, but he said endorsements from the business world could help.

The revised Rockefeller-Snowe legislation unveiled last week drew public praise not only from U.S. Telecom, a trade association for broadband providers, and Verizon, the telecommunications giant, but also from the National Cable and Telecommunications Association, the Internet Security Alliance and TechAmerica. Those industry associations commended the aim of bolstering cooperation between the federal government and the private sector, even as they said the bill should be seen only as a first step.

The bill combines audits, industry-developed and government-backed standards, increased information-sharing, and other mechanisms to bolster private sector cybersecurity. Earlier drafts included technology mandates and an expansion of government authorities that businesses strongly opposed.

TechAmerica, the Business Software Alliance and the Information Technology Industry Council joined in a letter Tuesday to the Commerce panel, commending the more partnership-focused bill. But the letter also criticized several provisions, such as those related to employee certification.

Larry Clinton, president and chief executive officer of the Internet Security Alliance, said his group still objects to the audit provisions and is seeking other cybersecurity incentives that are outside the Commerce panel’s jurisdiction. But his group is cooperating with staff requests not to “shop” amendments. Other industry sources said they were doing the same, citing the need to be “at the table” as the bill proceeds.

“They have pointed out that during the process that’s been going on during the last year, they have been open to adjusting the bill to accommodate various concerns,” Clinton said, referring to the staff members for Rockefeller and Snowe. The bill being marked up Wednesday, he added, is “substantially more pro-market and not as regulatory-focused as the previous bill.”

When Gillibrand and Hatch announced their legislation, which would link foreign aid to how well countries battle cybercrime, the endorsements from Microsoft and MasterCard were emblazoned on the news release. The Financial Services Roundtable, which represents about 100 large companies, also endorsed the bill.

The companies’ interest is made plain by the figures Gillibrand and Hatch cited: A Government Accountability Office report estimated that U.S. businesses lost $67.2 billion from cyber-attacks in 2005, while studies by the cybersecurity company McAfee Inc. point to the global economy losing more than $1 trillion in 2008 as a result of cyber-attacks. Experts agree that the number of attacks has been on the rise.

Gillibrand noted in her news release that New York businesses lose $4.6 billion a year due to cyber-attacks.

‘Weak Links’ a Cause for Concern

Even if one business devotes considerable attention to its own defenses, industry officials said, the interconnected nature of the Internet means that when other entities have weaker defenses, it ends up weakening the overall protections for every company. Those “weak links” may not be inclined to spend money on cybersecurity unless motivated by additional government incentives or penalties. That is also why companies are interested in improving cybersecurity internationally.

In addition, some companies contract with the federal government, so they have an interest in the government’s cybersecurity rules for contractors — a subject touched on by the Rockefeller-Snowe bill.

But even with all this industry support, both bills face high hurdles: Neither has a companion version in the House, and proponents must also overcome complex turf issues in Congress and a busy legislative calendar.

Still, it adds up to a shared goal for businesses and government, according to an industry source: “We’re trying to build a framework for a problem that’s not going to end.”