Business Roundtable backs CISPA approach to cybersecurity

Influential association of CEOs says threat information sharing key to securing critical infrastructure, but rejects new rules

A cybersecurity proposal released Wedneday by the influential Business Roundtable supports many of the provisions contained in the controversial Cyber Intelligence Sharing and Protection Act (CISPA) that was passed by the U.S. House of Representatives last year.

The roundtable's 32-page report rejects new federal cybersecurity regulations and instead espouses a more self-regulatory approach in which private industry will work with the government to secure the nation's critical assets against cyberthreats.

The Business Roundtable represents the CEOs of hundreds of leading U.S. companies from virtually every major industry including critical infrastructure areas such as oil, gas, financial services, telecom and the power sector. The association claims that its members generate a combined $7.3 trillion in annual revenues and employ nearly 16 million employees worldwide.

This is the first time that the BRT has issued such detailed recommendations for cybersecurity and the proposals contained in its report are sure to be welcomed by supporters of the largely Republican-backed CISPA bill.

The CISPA bill is somewhat at odds with a White House backed Senate bill called the Cybersecurity Act of 2012 which calls for a more regulatory approach to address cybersecurity risks in critical infrastructure. That bill died in Congress last year, prompting the White House to announce that it would issue a cybersecurity executive order for protecting critical assets.

Like the CISPA bill, the roundtable's proposal too advocates a two-way information sharing approach in which private sector companies and government agencies such as the DHS and the National Security Agency will share cyber threat information and intelligence with each other. The goal of such information sharing is to enable quicker detection and mitigation of emerging threats against critical infrastructure targets. Private companies have long maintained that such threat information sharing is essential to their ability to fight cyberthreats.

However, several privacy advocates, rights groups and even lawmakers have expressed concern over large-scale information sharing between the government and private sector, even if it is meant to bolster security. They are concerned it would allow the government to snoop on and collect an unprecedented amount of information on Internet users under the pretext of cybersecurity.

In addition to enabling information sharing, the government also needs to take the lead in developing new collaborative threat-based risk management and mitigation strategies, the Business Roundtable said in its report.

The association's report called on the government to take the lead in identifying the most severe risks and consequences of a cyberattack in specific sectors. Based on the threat information provided by the government. Companies will then work to identify high-risk assets and collaborate with the government on ways to address those risks. As part of that effort, roundtable-affiliated companies will make any technology and process changes that may be needed to bolster cybersecurity, the report noted.

"The private sector should collaborate by sector, and potentially across sectors to deploy mitigation strategies based on the outcome of threat-informed risk assessments," the Bassociation said in its report. Both the private sector and the government should invest in advanced and collaborative risk management and mitigation capabilities to keep pace with evolving threats.

As part of its proposals, the roundtable called on Congress and the administration to create a consortium of senior leaders such as the National Security Telecommunications Advisory Committee to oversee and report on the collaborative risk mitigation efforts between the private sector and government.

"We are very supportive of the CISPA bill," said Liz Gasster, vice president of Business Roundtable, and one of those who spearheaded the report. But for true information sharing to happen within the private sector and with the government, Congress has to remove current legal barriers, she said.

Companies need to be sure that they will not face liability and anti-trust issues when sharing threat information with each other and the government, Gasster said. "We think it is very important for companies to be encouraged to share threat information that may be useful, for instance, with competitors," she said. But currently, any time that happens it raises potential anti-trust issues, Gasster said. "Companies need to be sure they are not running afoul of antitrust rules or exposed to potential liability risks in sharing information."

Gasster downplayed the concerns raised by opponents of the CISPA bill, noting that most of the issues that were raised by rights advocates had been addressed in the version that was finally passed by the House. Any privacy issues than come up in future can be addressed through legislation, she noted.

The real division is over whether a regulatory approach like the one proposed by the Cyber Security Act is needed to address cybsercurity issues, she said. The roundtable is opposed to proposals that call for the creation of new security requirements for critical infrastructure, she said. "[Business Roundtable] is concerned that these proposals would shift the nation's resources towards a static, compliance-based regime to address cybersecurity threats," she said quoting from the report.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingsecuritycyberwarfareintel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by JR Raphael

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts