Critical Infrastructure Regulation: Government Knows Best

The threat that federal government may mandate guidelines for corporate security has been looming since Sept. 11, 2001. Rep. Adam Putnam (R-Fla.) was ready to put such legislation on the floor of the House of Representatives, but instead he has convened a working group. The group’s goal is to develop a private-sector approach to protect the nation’s corporate computer networks. But is government regulation of corporate security inevitable?

The Corporate Information Security Working Group (CISWG) met for the first time in mid-November 2003 and includes academic, industry and corporate leaders. A few key players in this group include representatives from the U.S. Chamber of Commerce, the Business Software Alliance, the Internet Security Alliance, TechNet and The SANS Institute. The plan is to meet each month and come back to Putnam in February with some hard recommendations about how the members think the private sector can enhance corporate security.

Originally, Putnam planned to introduce a bill called the Corporate Information Security Accountability Act. This act would have mandated that the Securities and Exchange Commission develop some type of risk assessment plan or information security standards that would, in turn, be forced on corporate America. This model was based partially on tools used by the SEC to help corporations prepare themselves for Y2K.

Putnam circulated a draft of the proposed legislation to C-level private-sector representatives. “We got a lot of response. People had some concerns and different ideas about how to get to this end result…. [Putnam] held back the legislation, and we decided to make this group,” says Bob Dix, staff director for the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, which is a subcommittee that Putnam chairs. The SEC also had its concerns with this plan. “With Y2K, there was an exact date and specific tasks, but securing our critical infrastructure is a much broader issue,” says Dix.

John McCarthy, a member of the CISWG and also the executive director of the Critical Infrastructure Protection Project, says he is “happy that Putnam did this and did not just throw out a heavy piece of legislation.” Major topics that McCarthy says the working group will address include critical infrastructure insurance, how to improve information-sharing between the private and public sectors, and how to create incentives for private industry to build security in as a core process.

But McCarthy feels that no matter what the group does, some type of legislation is necessary. Dix says “philosophically” neither he nor Putnam wants to impose regulations on the private sector. But Dix also says that if Putnam is not satisfied with what this group comes up with, legislation could go forward. It would differ from the draft, but some kind of bill would likely be introduced. N