Rockefeller Asking Senate Leadership for Vote on Cybersecurity Bill

"Getting floor time is very, very important,” Rockefeller said. “I don’t think this is going to be a partisan issue. I'm quite certain it isn’t. … I am consulting with my leadership about where there might be an opening.” Snowe is “bipartisan” and easy to work with, but industry needs to keep pushing for the bill, Rockefeller said. “I sincerely appreciate your engagement, your association’s engagement with us to point out where what we've done may miss the mark a bit,” he added. “Your input has made a good bill even better. Not only do we have a shared responsibility, your participation and input is important to the process.” The Senate Homeland Security Committee is also looking at cybersecurity legislation, Rockefeller noted. “That’s fine. More bills are better,” he joked. “I don’t really mean that, but I thought it was important to say that.”

Passing a bill is critical to protecting networks, Rockefeller said. “As a member and former chairman of the Intelligence Committee, and now current chairman of the Commerce Committee, I work at the legislative crossroads between our national security and economic security,” he said. “From that vantage point, obviously we all know how grave the situation is.” The networks Americans depend on are at risk, he said. “The Senate gets hit” by cyberattacks, he said. “Senators get hit. I got hit. It just goes on constantly."

Rockefeller said, as with most issues before the Commerce Committee, the debate turns into an argument over the benefits of regulation versus those of letting the market correct itself. That’s a “dangerous false choice,” he said. “The government cannot do this on its own and neither can the private sector. This has been demonstrated and proven. We all recognize that traditional regulation will not work because a bureaucracy simply cannot keep up with the necessary pace of innovation. Likewise, it should be clear that leaving our security solely to the market is a failing strategy."

Some say the most catastrophic scenarios have yet to unfold, Rockefeller said. “We hear that a lot,” he said. “Nothing has really happened. First of all, that’s just dead flat wrong. What’s been interdicted no one reads about.” The price of inaction would be regulation, he said. “We cannot wait for a crisis to occur,” Rockefeller said. “If we were to drag our feet and God forbid, a terrible disaster took place, I fear the public’s impulse and the government’s response might be to impose tough, unbending solutions. We can do far better by acting now, and by acting together.”

White House cybersecurity coordinator Howard Schmidt detailed a national cybersecurity initiative at the conference to tackle immediate cyberthreats, defend against the full spectrum of threats and strengthen future cybersecurity. The plan calls for actions such as coordinating and redirecting research and development efforts, improving situational awareness, expanding cyber-education, defining and developing enduring deterrence strategies and programs, developing a multipronged approach for global supply chain risk management, defining the federal role in extending cybersecurity into critical infrastructure domains, deploying intrusion detection and prevention systems and managing the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.

In BSA’s newly released Global Cybersecurity Framework, the trade group backed increased international collaboration against cybercrime while urging limiting the burden of any regulations on business. “In the borderless world of cybercrime, national laws and enforcement efforts must align with global approaches and practices,” said BSA CEO Robert Holleyman. While the trade group called for more sharing of cybersecurity information among companies and between the government and private sector, it believes that information sharing must be voluntary. A fundamental principle of effective security protection is that not all targets require the same level of protection and not all threats present the same risk, BSA said, urging the government not to mandate compliance with country-specific cybersecurity standards. The government shouldn’t force notification of customers whose data is breached if the data are unusable, unreadable or indecipherable, BSA said, also urging limiting breach notification requirements to situations where there’s a significant risk of the use of personally identifiable information to cause harm. Governments should maintain a policy of technology neutrality when developing cybersecurity policies and laws, said the group, whose members include companies like Microsoft, IBM, Cisco and Intel. The group also endorsed proposals for increasing spending on law enforcement, funding security research and development and cybersecurity education.

Mark Bregman, Symantec’s chief technology officer, emphasized promoting multilateral partnership. States have varying cybersecurity approaches, creating inconsistency, he said. And states tend to treat cybersecurity as a domestic issue, making international coordination difficult, he said, urging uniform international laws on fighting cybercrime. National interests are best protected by global standards, said Donald Proctor, senior vice president for cybersecurity at Cisco. Standards have been fragmented and used as trade barriers by some countries, he said, saying the government can play a role in areas like strengthening international law enforcement and international cooperation and information sharing. The Obama administration will work closely with standards bodies to start technical assessment to identify priorities in standardization, said Eric Werner, director of cybersecurity at the White House. There have been efforts on the Hill to improve standardization and the administration seeks to unify the efforts to eliminate fragmentation, he said. Before imposing any rules, policymakers need to realize the fast-moving nature of cybersecurity, said Charles Palmer, chief technology officer for security and privacy at IBM Research. He said regulations should be outcome-based.