Senator takes cybersecurity law fight to CEOs

Sen. Jay Rockefeller (D-WVa.) hopes cybersecurity legislation can be revived in Congress by avoiding "the filter of beltway lobbyists," and connecting directly with the nation's top business leaders.

His critics say if he really wanted to get the view of business on the topic, he could have done so long ago.

Rockefeller, who said he is "profoundly disappointed" at the failure of the proposed Cyber Security Act of 2012 (CSA) last month, recently urged President Obama in a letter to implement provisions of the bill through an executive order.

A draft of an executive order is now reportedly circulating within the administration, stirring debate.

But an end-run around Congress by the president will not be enough to secure the nation's critical infrastructure from cyberattack, in Rockefeller's view. In a letter dated Sept. 19 to all the CEOs of the Fortune 500, Rockefeller said, "legislation will still be needed and I would like to hear directly from our nation's business community to understand their views on cybersecurity."

Jacob Olcott, principal at Good Harbor Consulting and past counsel and lead negotiator on comprehensive cybersecurity legislation to Rockefeller, said in the years he worked on the Hill, "I cannot recall a letter that was sent to as many companies."

[In depth: Organized cybercrime revealed]

Rockefeller, who chairs the Senate Committee on Commerce, Science, and Transportation, said in the letter that the filibuster against the CSA in the Senate, "was largely due to opposition from a handful of business lobbying groups and trade associations, most notably the United States Chamber of Commerce."

He said he would be surprised if most American companies are as "intransigently opposed" to the CSA as the Chamber. "I would like to hear more -- directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of beltway lobbyists," he wrote.

The letter includes eight questions to the CEOs about whether their companies have adopted a set of best practices on cybersecurity, how they were developed and what their concerns are about government involvement in private-sector cybersecurity. Rockefeller asked for responses by Oct. 19.

Not everybody is impressed. Jody Westby, CEO of Global Cyber Risk and a consultant on privacy, security and IT governance, said Rockefeller's letter is an admission that, "he was trying to force cybersecurity legislation upon the business community when he did not have the basic information to support the need for such legislation."

"At least he admits he does not understand the business community's position, but seeking information that only he and his staff will have access to is not a transparent means of substantiating regulations that he continues to call 'voluntary,'" she said.

Matthew Eggers, national security and emergency preparedness director of the Chamber, said Rockefeller misstates both the Chamber's stance and its role. "There's little disagreement about the challenges the United States faces in cyberspace or the need for federal legislation," Eggers said in a statement. "However, disagreement exists over the legislative solutions."

"We think Sen. Rockefeller's comment that the Chamber is 'intransigently opposed' is off base. Chamber members have had weekly calls for more than a year to work through the various bills, inform and formulate Chamber thinking, and propose legislative solutions, he said. "Additionally, the Chamber has identified bills in the House and Senate that Congress should start passing, such as information-sharing legislation."

And to Rockefeller's implication that the Chamber does not represent the views of the majority of businesses, Eggers said, "The U.S. Chamber is the world's largest business federation representing the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations."

Eggers said the Chamber has tried to engage with Congress. "Following the Aug. 2 cloture vote ... in response to queries from lawmakers and staff, we developed through member input a 20-plus page analysis of (CSA). The document identifies shortcomings with that legislation and provides for ways to find common ground on a workable bill, which we are committed to pursuing."

But Jacob Olcott said Rockefeller has been and is continuing to try to give businesses a major role. "[The proposed legislation] was about the private sector setting its own standards," he said. "They would provide the governance framework about how you manage risk."

Rockefeller, in his letter, insists that it is indeed "a voluntary program that would empower the private sector to collaborate with the federal government to develop dynamic and adaptable voluntary cybersecurity practices for companies to implement as they see fit."

He said he thinks this should appeal to businesses more than the risk of, "reactive and overly prescriptive legislation following a cyber disaster."

The often-stated response from CSA opponents to the declaration that the standards would be voluntary is that when it comes to government, "voluntary" rapidly becomes mandatory.

But Olcott said the risks are too great to ignore. "We're talking about really serious societal harm," he said. "It's critical infrastructure that's at stake."

And he pointed to a report from this past May authored by Jody Westby for Carnegie Mellon University titled, "Governance of Enterprise Security: CyLab 2012 Report," which found that boards and senior executives in Forbes Global 2000 companies "are not actively addressing cyber risk management."

That, he said, is an indication that many corporate executives, "have not yet come to terms with their cyber risk management obligations."

Westby agreed that boards and senior executives need to do more oversight of privacy and security, "but we don't need Rockefeller for that," she said.

"The two things Congress can do that would help engage senior executives are to give tax credits for cybersecurity investments and require public companies to indicate whether their companies have undertaken key activities in an enterprise security program," Westby said.

"They do not have to require they undertake the activities; just that they indicate to shareholders and the public whether they have. They don't dare lie, and it would encourage a culture of cybersecurity," she said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place