Senate Cyber Legislation Facing Industry Resistance Over Cost
By Eric Engleman and Chris Strohm
A Senate measure aimed at compelling operators of vital U.S. utility and other networks to strengthen cybersecurity drew resistance from some business groups concerned that the bill would raise companies’ costs.
Responses to draft versions of the legislation have included “hard pushback” from trade groups as well as enthusiastic support, Tommy Ross, senior intelligence and defense adviser to Senate Majority Leader Harry Reid said at a Bloomberg Government conference today.
“We’re never going to get to a place where the entire private sector supports the notion that the government should have the ability to intervene,” Ross said. “We are getting very close to a point where a large swath of the private sector buys into what we’re doing here.”
Spies, criminals and hacker-activists are stepping up assaults on U.S. government and corporate systems, spurring efforts by Congress and President Barack Obama to shield infrastructure essential to U.S. national and economic security, such as power grids and water-treatment plants.
Reid, a Nevada Democrat, has said he plans to bring a cybersecurity bill to the Senate floor by Feb. 17. The measure, which has yet to be formally introduced, would authorize the Homeland Security Department to identify infrastructure that is critical to U.S. economic and national security and develop standards that must be met to protect computer networks.
The U.S. Chamber of Commerce, the nation’s largest business-lobbying group, said it has “serious concerns” that the draft Senate legislation may bring added expenses and urged lawmakers to delay consideration.
“Layering new regulations on critical infrastructure will harm public-private partnerships, cost industry substantial sums on compliance, and not necessarily improve economic and national security,” Bruce Josten, the Chamber’s executive vice president of government affairs, wrote in a letter yesterday to Reid and Minority Leader Mitch McConnell, a Republican from Kentucky.
A Bloomberg Government study released today found that utilities, banks and other infrastructure operators would have to spend almost nine times more on computer defenses to reach a state of security capable of preventing 95 percent of cyber attacks.
The Bloomberg Government study was conducted by Ponemon Institute LLC, a Traverse City, Michigan-based security-research firm, which interviewed technology managers at 124 companies and 48 government agencies.
Even an incremental improvement in computer defenses would require a significant investment, according to the Bloomberg study. To be able to thwart 84 percent of attacks, up from the current 69 percent, respondents said they would have to almost double their average expenditures on equipment and practices such as user verification systems, encryption and workforce training.
The study’s findings highlight the need to explore ways to finance cybersecurity improvements rather than focus solely on technology standards and requirements, Larry Clinton, president of the Washington-based Internet Security Alliance, said at the conference.
“The threats and costs are going up but the investments are going down,” said Clinton, whose group’s members include Lockheed Martin Corp., Verizon Communications Inc. (VZ) and Northrop Grumman Corp. The study “documents what that gap is and indicates THAT it is much higher than we had expected.”
Representative William ‘‘Mac’’ Thornberry of Texas, who heads a House Republican task force on cybersecurity, said Congress should act on legislation this year while avoiding bills that take a prescriptive approach to computer defenses.
‘‘The threat changes so fast, technology changes so fast, that there is no way government regulation can ever keep up,’’ Thornberry said at the Bloomberg Government conference.
Thornberry said company executives responsible for critical infrastructure need to make network security a ‘‘bigger deal,’’ and said the government can assist companies in certain ways, including by sharing threat data.
‘‘We expect a company to have locks on the doors and maybe a fence around them,’’ he said. ‘‘We don’t expect them to defend themselves against bombers that come over the top.’’
House Republicans support more narrowly targeted bills that would provide companies with incentives to better protect their networks and promote information sharing with the government. Such bills could come to the House floor in late February or early March, Thornberry said.