Senate Commerce Leaders Highlight Cybersecurity Act of 2013
The most important step the Senate Commerce Committee can take in improving cybersecurity in critical U.S. infrastructure is to “make sure the technical experts” at the National Institute of Standards and Technology “stay engaged and working with the private sector to develop effective cybersecurity standards,” said Chairman Jay Rockefeller, D-W.Va. The committee hearing where he spoke Thursday was largely a chance for Rockefeller and Ranking Member John Thune, R-S.D., to showcase the Cybersecurity Act of 2013, which they introduced the day before (http://1.usa.gov/19iJL7R).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
S-1353 closely follows a draft bill the Senate Commerce leaders circulated earlier this month (CD July 12 p6). It would authorize NIST to focus on cybersecurity, including work with industry to develop cybersecurity standards on an ongoing basis. President Barack Obama’s cybersecurity executive order directed NIST to facilitate industry development of the voluntary Cybersecurity Framework, with the final version going public in February 2014 (CD Feb 14 p1). The bill would also strengthen the government’s cybersecurity research, education and public awareness efforts.
Thune said he hoped his and Rockefeller’s efforts to consult with industry and other stakeholders, as well as others in the Senate, will help “avoid the legislative impasse” this Congress. Senate Republicans balked at the Senate Cybersecurity Act of 2012 over concerns a provision meant to encourage adoption of cybersecurity guidelines would result in a “regulatory regime” on critical infrastructure owners and operators (CD Dec 27 p6). Thune encouraged the Senate Homeland Security Committee to enact similarly bipartisan reforms to the Federal Information Security Management Act. “If our committees can work to produce complementary consensus legislation, that will be a significant step forward in this area,” he said.
Thune said he has been impressed by NIST’s efforts to work with industry. Industry leadership in the framework’s development is “essential” to making it successful, said NIST Director Patrick Gallagher. Industry actors hold much of the capacity and “know-how” on effective cybersecurity strategies, and their existing practices are the most likely to “align with good business practices,” he said. Their best practices are also far more scalable than would be available in a government-written set of standards, he said.
Industry representatives testifying at the hearing praised the Cybersecurity Act. The bill is an effective complement to Obama’s executive order “by codifying the important steps the administration has already taken,” said Arthur Coviello, executive chairman of EMC security division RSA. A group of financial service industry groups also supports the bill, particularly the provision formally authorizing NIST’s cybersecurity work, said Mark Clancy, managing director-The Depository Trust & Clearing Corp. Clancy was speaking on behalf of the American Bankers Association, Financial Services Roundtable and the Securities Industry and Financial Markets Association. The sector “believes strongly in the importance of private sector leadership for responding to this threat,” he said.
The National Association of Manufacturers (NAM) also supports the bill, applauding its requirement that industry adoption of any NIST-facilitated cybersecurity standards remain voluntary, said Dorothy Coleman, NAM vice president-tax, technology and domestic economic policy. “Manufacturers will not support any legislation that creates a duplicative regulatory regime that puts undue burdens on manufacturers,” she said.
Other groups also voiced support for the bill before the hearing. The provision making NIST’s role in cybersecurity permanent “will help ensure that NIST’s current practices for engaging with industry on the development of cybersecurity standards are firmly enshrined in the law,” said Timothy Molino, BSA/The Software Alliance director-government relations, in a letter to Rockefeller and Thune (http://bit.ly/138v4R4). TechAmerica believes the bill “strikes the right balance as it preserves industries’ ability to innovate, develop and deploy technology that can respond to the ever changing cybersecurity threats,” said Kevin Richards, TechAmerica’s senior vice president-federal government affairs, in a statement. CenturyLink said the bill would be a “valuable component in our nation’s overall cybersecurity strategy” (http://bit.ly/15iTmHz). Frontier Communications believes the bill is a “key step in establishing the nation’s cybersecurity strategy,” said Kathleen Abernathy, Frontier Communications’ executive vice president-external affairs, in a statement. “The bill recognizes that a voluntary, industry-led process for cybersecurity standards and best practices is central to protecting corporate and individual information and systems as well as national security."
Sens. Edward Markey, D-Mass., and Amy Klobuchar, D-Minn. voiced concerns during the hearing about the need for incentives to encourage industry adoption of the framework. Rockefeller said such questions are valid, but they're better handled by the Senate Homeland Security Committee. Gallagher said he believes industry already has “a lot of self-interest” in creating a successful framework and has self-evident reasons for adopting it. The administration will closely follow the extent to which critical infrastructure industries actually adopt the framework once it’s completed, and will identify areas of friction that will inform future discussions about possible incentives, Gallagher said. The right framework will “go a long way” in encouraging industry to adopt the framework independent of additional incentives, Coviello said.