Back in September, I posted here about Senate Commerce Committee Chairman John D. Rockefeller’s (D-WV) letters to all FORTUNE 500 companies inquiring about business opposition to cybersecurity legislation. This morning, Rockefeller released a report by his staff summarizing the gist of the roughly 300 responses he’s received to date. The report does not mention any companies or executives by name, but, together with an illustrative table, quotes anonymously and selectively from the responses received. Following is an overview of the report’s findings.
Over 80 of the Fortune 100 responded, with the rate falling off after that. Staff views the overall response rate as a “very positive sign that America’s largest companies and top business executives are taking the issue of cybersecurity seriously.”
All responses stated that they have developed cybersecurity practices to protect their infrastructure from cyber attacks, often based on legal compliance requirements. Many companies rely on audit firms and sector-focused trade groups to benchmark and develop their practices. Responses illustrated the federal government’s “ad hoc” approach to cybersecurity, involving sector-specific agencies and programs in the areas of chemicals, financial services, telecommunications and defense.
Staff’s review found that opposition to the legislation by the US Chamber of Commerce and other groups, while shared by some, was not shared by many companies; that overall, the private sector is supportive of passing cybersecurity legislation. Many companies support an increased government role, a voluntary federal program, and increased information-sharing between the private sector and the government. A variety of companies support greater cybersecurity R&D and workforce training.
Concerns raised about the legislation were about the specifics of the government’s role and what impact it would have on companies, such as whether voluntary requirements could become mandatory and would impact the ability to address cybersecurity issues in a flexible manner, or duplicate efforts already underway. Another common concern was the need to adequately protect the confidentiality of information shared with the federal government during cyber threat assessments. Companies in the financial and electric sectors expressed concern that existing regulatory relations would be disrupted.
It’s clear from today’s release and the aspirational measure Rockefeller introduced with fellow Democratic Committee Chairmen last week, S. 21, the Cybersecurity and American Cyber Competitiveness Act of 2013 that he and his colleagues intend to pursue legislation this year. It’s quite unclear how or when that will happen. Readers will recall that last year the Senate failed to advance legislation repeatedly, prompting the President to consider issuing an Executive Order. While it’s still quite early in the 113th Congress, the political calculus post-November seems to favor a continued stalemate: Democrats gained only a couple seats in the Senate, five votes short of a 60-vote, filibuster-proof majority. Also, unlike certain other issues, arguably, the election was hardly a referendum on or endorsement of the Senate bill or the President’s plan for cybersecurity. Nonetheless, hope springs eternal on Capitol Hill so we’ll continue to stay abreast of developments.