Cybersecurity laws affecting businesses on the way

WASHINGTON - The chairman of a U.S. Congress subcommittee dealing with cybersecurity promised legislation late this year that will affect how private businesses secure their pieces of cyberspace, but he didn't disclose the details about what he has in mind.

The cybersecurity legislation will be "meaningful regulatory approach to securing private-sector critical infrastructure" but, because many members of Congress don't seem to recognize the potential threat of cyber attacks, it will not be as wide-ranging as the Sarbanes-Oxley Act of 2002, which governs accounting procedures at public companies, said Representative Adam Putnam, chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

"There are a couple of areas where I believe the subcommittee will be drafting bills towards the end of this year that would impact the private sector," said Putnam, speaking at an e-government and cybersecurity event in Washington, D.C., Thursday. "We hope to begin that process before a major catastrophe. We would like to be on the front side of that."

Right now, it's difficult to say what that cybersecurity legislation will look like, added Putnam, a Florida Republican.

Putnam's comments came in response to a question from Daniel Burton, vice president of government affairs for security vendor Entrust Technologies Inc. Burton cited Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as examples of a "creeping aggregation of regulations."

Congress shouldn't take a "knee-jerk, let's legislate" approach to cybersecurity, Putnam answered, but many people in Congress and in the general public don't realize how many pieces of the U.S. critical infrastructure are controlled through networked technology. He used the example of flood-control gates on the Mississippi River or the power grids that serve stock markets.

After a disaster, Congress' response "is not the most well thought-out," Putnam added. "We want to put something out there that makes sense, that's balanced, that accomplishes the same goals, without it being this headlong rush to prove that we're doing something for our constituents because we were asleep at the switch when there was this digital Pearl Harbor."

After Putnam's speech, Burton said it sounds like Putnam's subcommittee will bring clarity to regulations on businesses. "Regulations are already here; people are just trying to understand what they mean," he said.

Congress has made good progress in educating itself on cybersecurity, added Tim Hoechst, senior vice president for technology at Oracle, and Putnam's comments seem to indicate that Congress is planning to take a next step toward mandated guidelines about cybersecurity.

"It sounds like we're getting beyond the just-talking-about-it stage, and that makes me happy," Hoechst said in an interview. "But it could go in a million different directions."