A Cybersecurity Offer Companies Can’t Refuse

Paul Rosenzweig /

In a remarkable letter to all Fortune 500 CEOs, Senator Jay Rockefeller (D–WV) bemoans the business community’s opposition to his cybersecurity legislation, the Cybersecurity Act of 2012. He is shocked—simply shocked, as was Captain Renaut in Casablanca—that any business institution could possibly oppose more government red tape when “security” is on the line.

Though he says that the opposition is “for some reason I cannot understand,” this lack of understanding is transparently political. The not-so-subtle threat in the letter, of course, is that if anything bad ever happens in cybersecurity, the Senator plans to blame the business community, whether they are truly responsible or not.

In August, the Senate considered Senator Rockefeller’s extensive cybersecurity bill. Most of the bill was uncontroversial and attracted widespread bipartisan support. Everyone agrees, for example, that the federal information security system needs to be modernized and that we can benefit from a great focus on cyber education.

What divided the Senate (and continues to divide it today) is the belief by some that a new regulatory program is necessary. According to its supporters, the private sector has failed to adequately protect the cyber networks, so the federal government needs to set national cybersecurity standards for the private sector. Opponents have many questions about this approach and think it is fundamentally inconsistent with basic principles of free markets and good governance. Their efforts sidetracked the bill before the August recess.

Undeterred by this, the Obama Administration is reportedly considering the issuance of an Executive Order that would do as much in the way of mandates as it can under existing law. And now one of the lead sponsors of the regulatory measure, Senator Rockefeller (D-WV) has returned to the fray.

An even more notable aspect of the Senator’s letter is the deeply detailed set of questions about the Fortune 500 company’s cybersecurity polices. He asks each company whether it has cybersecurity practices, when they were developed, how they were developed, how frequently they are updated and whether the federal government played any role in developing them. The Senator also asks three questions that can best be paraphrased as “please tell me what could possibly be wrong with my highly reasonable legislation and why you disagree with me when I am so obviously right?” There are a number of points one can make about this letter:

  1. This letter called for a voluntary response. But calling this voluntary is really a misnomer. The Senator expects a response and will be very upset if none is forthcoming. The invitation to respond is an offer that business can’t refuse and that makes it clear that voluntary cybersecurity regulations would really be mandatory ones. Industry is right to fear the prospect of a new intrusive regulatory system with an unknown cost.
  2. Does Senator Rockefeller think so little of small businesses that their efforts are not even worth discussing? Only the Fortune 500 companies are surveyed. This disregard for the work and challenges faced by small businesses is exactly what opponents of the legislation are worried about.
  3. Conversely, the Senator’s request for information is wildly overbroad. Clearly companies like Oracle and Google are relevant to the cybersecurity debate. But does Senator Rockefeller really think that Foot Locker and Dr. Pepper Snapple are a major cybersecurity risk? This overly broad concern again, reflects the fears of opponents who are quite certain that any regulatory system will not be limited to truly critical infrastructure. Cyber is everywhere and the Senator seems to think that Federal cybersecurity regulation will also be everywhere.
  4. Wouldn’t these be the exact questions that should be raised in a hearing? As Chairman of the Commerce Committee you would think Senator Rockefeller could arrange to make that happen.