Senator Rockefeller to Fortune 500: What Are You Doing About Cybersecurity? : LXBN Roundtable

By | LXBN | September 25, 2012

If at first you don’t succeed, try, try, try again.  Or so goes the proverb, coined by W.E. Hickson.  In the wake of The Cybersecurity Act of 2012′s failure, Senator John D. Rockefeller, one of the Act’s co-sponsors, is taking that proverb to heart.  A month ago, Rockefeller sent a letter to President Obama calling for an executive order to address cybersecurity issues.  After another month of no response, Rockefeller has widened his scope. This time, instead of the President of the United States, the Senator’s letter was sent to the most powerful men and women in the private sector, the CEOs of Fortune 500 companies. (Read the full letter here)

Come October 19th, Senator Rockefeller expects these CEOs to respond to his eight questions, each intended to determine commercial cybersecurity standards, and what steps corporate entities take to protect their “critical infrastructure.”  Christopher Loeffler lays out the eight questions on Kelley Dry & Warren‘s blog, Ad Law Access:

  1. Has your company adopted a set of best practices to address its cybersecurity needs?
  2. If so, how were these cybersecurity practices developed?
  3. Were they developed by the company solely, or were they developed outside the company?  If developed outside the company, please list the institution, association, or entity that developed them?
  4. When were these cybersecurity practices developed?  How frequently have they been updated?  Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
  5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
  6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
  7. What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
  8. What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

While responding to Rockefeller’s letter is voluntary, there’s no doubt the Senator expects his inbox to be overflowing, and the executives of these companies would be foolish to pass up such a golden opportunity.  Nearly two months ago, when The Cybersecurity Act of 2012 was floundering in the face of a Republican filabuster, business owners and entrepenuers (represented by The United States Chamber of Commerce) were the most vocal opponents of the Act.

Rockefeller’s letter offers them a chance to voice their concerns without, as Rockefeller himself puts it, “the filter of beltway lobbyists.”  Adam Veness writes on Privacy & Security Matters, Fortune 500 CEOs would be wise to realize these concerns aren’t going away:

“Although the companies receiving the letter are not legally obligated to respond, the letter is further evidence that, even though Congressional action has ground to a halt, the quest for cybersecurity legislation is not going away.   According to a report in The Hill, two U.S. Senators have called on President Obama to issue an executive order to address urgent action and a critical need to fill the cybersecurity void. Companies should be proactive and implement cybersecurity safeguards and policies now so that these protections are already in place by the time any regulatory action is taken.”

But while legislators in Washington D.C. debate the finer points of regulatory policies, many Fortune 500 companies have already taken steps to protect themselves from cyber attacks, and are wary of the burdens of regulations.  Richard Stiennon, an IT consultant to several Fortune 500 companies over the past 15 years, echoed many of these concerns in a recent open letter to Rockefeller.  In that letter, Stiennon questions the government’s openness in exchanging information with companies, and the government’s own data security.

Stiennon, in response to the first part of question 6, reminds Rockefeller that staying ahead of cybercriminals is tricky business:

“We are in a constant battle against malware, cybercrime, and nation state espionage. Creating a new department to engage in such an exercise would be expensive and distract us from our current efforts to find, hire, and retain the skilled security people we need as the threat rises, the methodologies of the attackers gain in sophistication, and the targets of their attacks expand to all of our intellectual property.”

Perhaps the most notable passage comes at the very end of Stiennon’s letter, where he pleads that internet technologists and scientists be let in the backrooms where legislation is crafted:

“Senator, I would suggest that, like in many matters involving science and technology, that the scientists and technologists should be brought into future deliberations on cyber legislation. Fiascoes like the failed SOPA act can be easily avoided if the right conversations are held with the right stake holders. The technologists that make the Internet operate and the security experts that are battling to defend it need to be brought to the table in order to form better policy.”

Although several points in Stiennon’s open response seem antagonistic, the overall message is clear: Businesses are aware of the risks and are doing everything they can to safeguard sensitive information; government involvement and regulations would only serve to impede progress. And while that argument is the same argument business make in the face of any increased regulation, it is increasingly pertinent as legislators continue to stumble in their attempts to regulate the internet.

It is also fair to ask how much the respondents of Rockefeller’s letter stand to lose if they answer the questions “incorrectly.”  Al Saikali, the author of the Data Security Law Journal, wonders just that in his post today:

“These questions raise several issues for the companies responding to them.  For example, how much detail should a company provide in response to these questions, keeping in mind that responses will likely be a matter of public record and may be viewed by competitors or potential cyber attackers?  What about companies that have not yet prepared formal cybersecurity practices?  Do they now have to admit this failure on the record, keeping in mind that the Committee also wants to know when those practices were developed?  Regarding the Cybersecurity Act, the responses will likely need to express concern about excessive government intervention and regulation while at the same time demonstrate sensitivity to protecting critical infrastructure like utilities, transportation, and telecommunications.”

In the midst this debate, one of LXBN’s most prominent and experienced authors on the subject of cybersecurity, Stewart Baker, was preparing to give testimony in front of the House Homeland Security Committee regarding the current state of cybersecurity.  In his post discussing cybersecurity legislation, Baker calls for a different approach than the current ad hoc regulations being crafted in Washington, D.C.:

If we’re going to do this, though, we can’t rely exclusively on government. Sure, governments have resources and authorities beyond those of any single company. But in aggregate, it’s the private sector that is losing the most and that has the most resources to put into locating and punishing the attackers.”

Baker goes on to advocate for a more private sector-centric plan of attack against cybercriminals:

“We need a corps of digital repo men and investigators that the private sector can deploy in a battle that the US government alone is losing. Of course we need to make sure this corps is regulated and can be sanctioned for excesses, as we do with repo men and investigators. But that’s not hard to achieve. In fact, DHS could probably experiment with such a solution tomorrow if it chose, as could the FBI. Law enforcement agencies often have probable cause for a search warrant or even a wiretap order aimed at cyberintruders. Sometimes they use contractors to help them carry out a particularly technical search. So why don’t they simply obtain a lawful intercept or search warrant aimed at a sophisticated hacker and turn the execution of the warrant over to a private contractor paid for by the victim and supervised by the agency? As long as it happens under government supervision, I can’t think of any legal barrier to doing that tomorrow.”

Baker notes that much of the opposition to this method comes from an anti-vigilante sentiment, similar to the way we prefer policeman to investigate crimes over private investegators.  Typically, officers of the law are held to a higher standard and their scruples are questioned less than those of a P.I.  However, it is safe to say Fortune 500 companies aren’t dealing with your typical criminal.  Hackers are well-known for their ability to escape detection and prosecution, and the more regulators focus on defenses instead of going on the offensive, the more likely it is corporations leave themselves open to security breaches.  It may be a tough pill to swallow, but this may be a case where less regulation accomplishes more.

To read more analysis on Senator Rockefeller’s letter, check out LXBN’s curated page which includes legal analysis from lawyers all over the country.