CEOs Voice Support For Cyber Legislation, With Caveats

Fortune 500 CEOs widely support cybersecurity legislation that increases voluntary information sharing between the private sector and the federal government, according to a survey by Sen. Jay Rockefeller, D-W.Va.

Sen. Rockefeller had written a letter to Fortune 500 CEOs in September asking for their views on federal cybersecurity policy. In a memo released Wednesday, the majority staff for the Senate Committee on Commerce, Science and Transportation summarized the more than 300 responses to Rockefeller's letter in a memo.

"Nearly every company that provided a thorough response expressed support for more robust, two-way cyber threat information sharing, with greater access to security clearances to ease the process," the memo said. However, while "many" companies supported a voluntary information sharing regime, many also expressed concerns about mandatory, inflexible or duplicative cybersecurity standards.

[ Which tech initiatives should Obama prioritize in his next term? Read 5 Items Should Top Obama's Technology Agenda. ]

Despite broad language expressing support for comprehensive cyber legislation that focuses on elements like information sharing, lack of detailed statistics in the Senate memo means it remains unclear exactly how much support and concern exists among respondents to Rockefeller's letter.

Rockefeller was among a group of senators pushing to pass comprehensive cybersecurity legislation in 2012. That bill, which was amended to strip out mandatory information-sharing programs, was nonetheless blocked by Republicans in the Senate in August after vocal opposition to the bill from lobbying groups like the Chamber of Commerce.

A debate over whether comprehensive cybersecurity legislation should include mandatory standards for private sector companies had been one of the sticking points for passage of the legislation through part of 2012.

On January 23, Rockefeller and six fellow Democratic senators introduced the 2013 version of the legislation: the Cybersecurity and American Cyber Competitiveness Act of 2013. In introducing the legislation, Rockefeller said that he saw an "opportunity to reach needed consensus" on cyber legislation during this Congress. The current version of Rockefeller's legislation includes no mandate.

According to the memo, " very few companies" surveyed expressed "outright opposition" to the 2012 bill, and "only a subset" of those companies' views aligned with the Chamber of Commerce's opposition, which expressed concern even about voluntary information sharing. Rather, "many" companies favored voluntary information sharing, including use of the program to develop best practices, conduct risk assessments and identify critical infrastructure.

There was less support, however, for the prescription of a single set of inflexible best practices, especially if those practices would be disruptive to current regulatory compliance. A number of companies worried that mandatory standards would lead to additional costly "check the box" compliance, negatively impact innovation and fail to keep up with the rapid pace of change in the cyber world.

Among the choice -- though anonymous -- quotes from Fortune 500 CEOs:

-- "We agree that collaborative efforts between government and business are essential in undertaking the significant challenges related to cybersecurity, much like partnerships we currently have for disaster response and recovery," said one national retail chain CEO.

-- "Congress [should] continue working to pass cybersecurity legislation that will advance risk management practices, strengthen the protection of critical cyber infrastructure and enhance appropriate information sharing of actionable information concerning cyber threats," said a Fortune 100 tech CEO.

-- "[My company] is concerned that 'voluntary' will lead to 'regulated,' resulting in precious resources being diverted away from active threat management to compliance-based activities," said one Fortune 100 energy CEO.

In a statement accompanying the staff memo, Rockefeller said that the CEOs' responses "will be a great resource as we refine much-needed cybersecurity legislation to improve and deepen the collaboration between our government and private sector."

While Rockefeller might express optimism about his bill this year, the Chamber of Commerce retains its opposition, which could again gum up the legislative process and potentially scuttle this year's bill. However, even if Congress fails or is unable to react, the White House has been preparing an executive order that could put in place a number of cybersecurity and information-sharing policies even without new legislation.

Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)