Senator takes cybersecurity law fight to CEOs

Sen. Jay Rockefeller (D-WVa.) hopes cybersecurity legislation can be revived in Congress by avoiding “the filter of beltway lobbyists,” and connecting directly with the nation’s top business leaders.

His critics say if he really wanted to get the view of business on the topic, he could have done so long ago.

Rockefeller, who said he is “profoundly disappointed” at the failure of the proposed Cyber Security Act of 2012 (CSA) last month, recently urged President Obama in a letter to implement provisions of the bill through an executive order.

A draft of an executive order is now reportedly circulating within the administration, stirring debate. 

But an end-run around Congress by the president will not be enough to secure the nation’s critical infrastructure from cyberattack, in Rockefeller’s view. In a letter dated Sept. 19 to all the CEOs of the Fortune 500, Rockefeller said, “legislation will still be needed and I would like to hear directly from our nation’s business community to understand their views on cybersecurity.”

Jacob Olcott, principal at Good Harbor Consulting and past counsel and lead negotiator on comprehensive cybersecurity legislation to Rockefeller, said in the years he worked on the Hill, “I cannot recall a letter that was sent to as many companies.”

[In depth: Organized cybercrime revealed]

Rockefeller, who chairs the Senate Committee on Commerce, Science, and Transportation, said in the letter that the filibuster against the CSA in the Senate, “was largely due to opposition from a handful of business lobbying groups and trade associations, most notably the United States Chamber of Commerce.”

He said he would be surprised if most American companies are as “intransigently opposed” to the CSA as the Chamber. “I would like to hear more — directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of beltway lobbyists,” he wrote.

The letter includes eight questions to the CEOs about whether their companies have adopted a set of best practices on cybersecurity, how they were developed and what their concerns are about government involvement in private-sector cybersecurity. Rockefeller asked for responses by Oct. 19.

Not everybody is impressed. Jody Westby, CEO of Global Cyber Risk and a consultant on privacy, security and IT governance, said Rockefeller’s letter is an admission that, “he was trying to force cybersecurity legislation upon the business community when he did not have the basic information to support the need for such legislation.”

“At least he admits he does not understand the business community’s position, but seeking information that only he and his staff will have access to is not a transparent means of substantiating regulations that he continues to call ‘voluntary,'” she said.

Matthew Eggers, national security and emergency preparedness director of the Chamber, said Rockefeller misstates both the Chamber’s stance and its role. “There’s little disagreement about the challenges the United States faces in cyberspace or the need for federal legislation,” Eggers said in a statement. “However, disagreement exists over the legislative solutions.”

“We think Sen. Rockefeller’s comment that the Chamber is ‘intransigently opposed’ is off base. Chamber members have had weekly calls for more than a year to work through the various bills, inform and formulate Chamber thinking, and propose legislative solutions, he said. “Additionally, the Chamber has identified bills in the House and Senate that Congress should start passing, such as information-sharing legislation.”

And to Rockefeller’s implication that the Chamber does not represent the views of the majority of businesses, Eggers said, “The U.S. Chamber is the world’s largest business federation representing the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations.”

Eggers said the Chamber has tried to engage with Congress. “Following the Aug. 2 cloture vote … in response to queries from lawmakers and staff, we developed through member input a 20-plus page analysis of (CSA). The document identifies shortcomings with that legislation and provides for ways to find common ground on a workable bill, which we are committed to pursuing.”

But Jacob Olcott said Rockefeller has been and is continuing to try to give businesses a major role. “[The proposed legislation] was about the private sector setting its own standards,” he said. “They would provide the governance framework about how you manage risk.”

Rockefeller, in his letter, insists that it is indeed “a voluntary program that would empower the private sector to collaborate with the federal government to develop dynamic and adaptable voluntary cybersecurity practices for companies to implement as they see fit.”

He said he thinks this should appeal to businesses more than the risk of, “reactive and overly prescriptive legislation following a cyber disaster.”

The often-stated response from CSA opponents to the declaration that the standards would be voluntary is that when it comes to government, “voluntary” rapidly becomes mandatory.

But Olcott said the risks are too great to ignore. “We’re talking about really serious societal harm,” he said. “It’s critical infrastructure that’s at stake.”

And he pointed to a report from this past May authored by Jody Westby for Carnegie Mellon University titled, “Governance of Enterprise Security: CyLab 2012 Report,” which found that boards and senior executives in Forbes Global 2000 companies “are not actively addressing cyber risk management.”

That, he said, is an indication that many corporate executives, “have not yet come to terms with their cyber risk management obligations.”

Westby agreed that boards and senior executives need to do more oversight of privacy and security, “but we don’t need Rockefeller for that,” she said.

“The two things Congress can do that would help engage senior executives are to give tax credits for cybersecurity investments and require public companies to indicate whether their companies have undertaken key activities in an enterprise security program,” Westby said.

“They do not have to require they undertake the activities; just that they indicate to shareholders and the public whether they have. They don’t dare lie, and it would encourage a culture of cybersecurity,” she said.