From: National Journal
By Josh Smith
Cyberattacks have business leaders concerned, but what may be equally worrisome to them is the potential for sweeping new government regulations designed to counter cyberthreats.
On Tuesday the Business Roundtable, which includes dozens of America’s largest corporations, released a report calling for industry-friendly, voluntary steps, rather than overt mandates, to reduce cyberattacks.
Its message to the government: Help us, but don’t overregulate us.
“Business Roundtable does not support legislative and policy solutions that prioritize simple ‘check-the-box’ activity over sophisticated management of shared cyber-risks,” the report said.
Government officials have been sounding the alarm over cyberattacks.
“Alongside this nuclear danger is an entirely new kind of threat we have to be better prepared to confront – the threat of cyberattacks,” Defense Secretary Leon Panetta said in a speech at a Woodrow Wilson Center event on defense priorities on Tuesday. “Cyber has become a major concern as we face large numbers of attacks from nonstate actors and large nations alike, and the prospect of a catastrophic disruption of critical infrastructure that would cripple our nation.”
Business leaders have also highlighted the threat, but companies that experienced cyberattacks have been criticized for not publicizing the breaches or for being slow to tell customers. Several bills before Congress would set rules for how businesses respond to data breaches, and other legislation targets a range of related issues.
In order to effectively protect U.S. networks, the government and private businesses need more information on how to manage the threat, according to the Business Roundtable study.
The report also called for Congress and the White House to remove regulatory barriers to information-sharing, including provisions in antitrust, health care, intellectual-property, and other laws.
Besides easing some current restrictions and reforming laws, the government has exclusive access to resources that can help businesses, MasterCard CEO Ajay Banga told reporters on Tuesday.
“We need government to do its part by providing the tools only government can provide – including strategic threat assessments, technical assistance and much more robust public-private information-sharing partnerships – to help businesses effectively counter growing threats,” he said.
Specifically, the report identified several areas where current efforts are lacking.
No fully integrated effort exists to coordinate the government’s economic, homeland-security, and defense cybersecurity programs, for example. There is no clear system for sharing-information between government and businesses; businesses don’t have access to enough help from federal officials; and private industries of all kinds need to develop best practices for combating cyberthreats.
In addition, global policies and procedures are too outdated to effectively prosecute cybercrime, the report says.
Republicans in Congress may help businesses in these efforts. They released broad legislative proposals last week. A House GOP cybersecurity task force called for more incentives for businesses to increase their network security.
“It is our view that it is really hard to regulate in this area, because it changes so fast. We believe there should be a whole menu of incentives to look at,” Rep. Mac Thornberry, R-Texas, chairman of that task force, said at an event at the Center for International and Strategic Studies on Tuesday.
The GOP panel, which included members of nine key House committees, recommended reforming a range of current laws, including the 2002 Federal Information Security Management Act, which governs federal security programs.
The federal government should leverage its buying power to help boost cybersecurity by upping its own standards, Thornberry said. He also called for an organization to act as a clearinghouse for public-private information-sharing.