Yesterday, the Senate Committee on Commerce, Science, and Technology and the Senate Committee on Homeland Security and Government Affairs held a hearing titled, “The Cybersecurity Partnership Between the Private Sector and Our Government: Protection Our National And Economic Security,” in which the recent Executive Order on voluntary cybersecurity standards was discussed extensively.
The Executive Order directs agencies to look into incentives that can be used under existing law to encourage businesses to opt into the voluntary cybersecurity standards. Secretary of Homeland Security Janet Napolitano revealed that amongst the incentives that DHS is considering are a federal procurement preference and granting some sort of governmental seal of approval. Napolitano contends that the market in and of itself has not provided sufficient incentive for all businesses to raise their cybersecurity standards.
Senator Jay Rockefeller (D-WV), Chairman of the Commerce Committee, and Secretary Napolitano agreed that H.R. 624, the Cyber Intelligence Sharing Protection Act (CISPA), is “wholly insufficient.” Rockefeller particularly stressed that cybersecurity is not an issue that Congress can afford to revisit every year in a piecemeal fashion, and a more comprehensive bill must be pursued. Napolitano agreed, citing perceived insufficiencies in CISPA, such as the lack of privacy concerns and authorizing the NSA to establish standards and share information instead of a civilian agency.
Senator Mark Warner (D-VA) voiced concern about unintended consequences that could arise from voluntary standards. Particularly, he was concerned that the standards could create a free rider problem, stagnant standards, or entrenched standards. Complying with stagnant standards, he worried, would be both dangerous and potentially wasteful. He was also concerned that entrenched standards could create a costly, complex barrier to entry for new businesses in certain industries.