Two weeks ago we blogged about some specific thoughts on Senator Rockefeller’s letter to Fortune 500 companies asking them to voluntarily provide information on their cybersecurity programs. Senator Rockefeller’s deadline of October 19 for a response is fast approaching. Since our last report, a number of other developments have occurred and several groups have also responded. Here is a sampling of some of the dialog:
- The electric utilities sent a letter to Senator Rockefeller right after our blog post, explaining their support for the general notion of cybersecurity reform but also expressing concerns about how such a system would affect the regulations to which they are already subject. They made it clear that they “do not oppose such a regime, provided it does not seek to supplant the existing regulatory structures and public-private coordination already taking place in the electric and nuclear power sectors.” This message, consistent with what we’ve been hearing from other industry participants across various sectors, is that a “piling on” of security regulation just for the sake of putting something in place could do more harm than good. Certain aspects, however, could be useful. Also from the electric utilities letter: “in the absence of consensus, we would encourage Congress to act on legislation improving information-sharing capabilities among government and industry.”
- The U.S. Chamber of Commerce came out swinging in response to Senator Rockefeller letter. Recall that Senator Rockefeller said in his letter that he would be surprised if the companies he has solicited “are as intransigently opposed to our cybersecurity legislative efforts as the Chamber of Commerce has indicated they are.” The Chamber has been quite vocal in its opposition to the efforts of Senator Rockefeller. According to Chamber officials, Senator Rockefeller’s bill would result in a “government-managed process” for creating and managing cybersecurity standards and that voluntary guidelines would ultimately “impose new obligations on participating companies.”
- The notion of “voluntary” has been a recurring theme on multiple fronts. For example, the Heritage Foundation remarked that “calling [the Rockefeller letter] voluntary is really a misnomer…The invitation to respond is an offer that business can’t refuse and that makes it clear that voluntary cybersecurity regulations would really be mandatory ones. Industry is right to fear the prospect of a new intrusive regulatory system with an unknown cost.” Back in July, when analyzing the Rockefeller-sponsored bill, one group similarly noted that “voluntary standard systems can too easily become mandatory standard systems” and that the White House shares this view (making the imminent Executive Order that much more of a concern). Mike Daniel, Cybersecurity Coordinator, has been quoted as saying that “the idea of mandatory [cybersecurity] standards was “legislatively almost impossible” right now, but “that’s the ultimate goal.”
- The voluntary nature of cybersecurity regulation also comes into play when considering the impending Executive Order. Last week, a Senate staff meeting occurred with members of the Obama Administration. During that session, it was “made clear that cybersecurity … should be addressed by the legislative process, rather than by administrative fiat via an Executive Order. The executive branch does not have the legal authority to implement a comprehensive cybersecurity policy…[and it] could potentially result in intrusive regulation, confusion, gaps in coverage, and uneven application of policy, thus causing more harm than good. ”
- As recently as yesterday, a letter was sent by Senators Collins, Snowe, and Lugar to the White House. Echoing our point from last month, the letter states: “The ramifications of a national cybersecurity policy for the public and private sectors are significant and deserve the transparency and legitimacy that can be achieved only though the legislative process. Moreover, an Executive Order could have the unintended consequence of undermining the need for Congress to act by lulling people into a false sense of security that the problem has been “solved” through executive action.”
If nothing else, the Rockefeller letter has further turned up the rhetoric on a few different aspects of the cybersecurity debate. In particular, the issue of voluntary versus mandatory approaches to cybersecurity regulation is being hotly debated. Similarly, the use of regulation versus an Executive Order has gotten renewed attention.
As to the substantive parts of the letter, many companies continue to struggle with drafting responses with which they are comfortable. Most people to whom we’ve spoken feel that not responding would be disastrous, but crafting a meaningful response (that doesn’t cause downstream problems) has proven to be tricky. It will be interesting to see where Senator Rockefeller goes with all of this. By the time he does anything, however, we may be facing a whole new round of legislative sparring.