IT leaders question U.S. cybersecurity mandates

WASHINGTON -- U.S. companies need to work together to improve their cybersecurity before a major cyberattack prompts the U.S. Congress to pass hasty legislation, the chairman of a cybersecurity-focused House subcommittee told IT industry leaders Tuesday.

Representative Adam Putnam, chairman of the House Committee on Government Reform's Subcommittee on Technology, Information Policy Intergovernmental Relations and the Census, decided this month not to introduce a bill that would require public companies to report their cybersecurity initiatives to the U.S. Securities and Exchange Commission (SEC).

"A hell of a lot of negative feedback" over the proposed bill forced Putnam, a Florida Republican, to reconsider the legislation, he said. IT security experts objected to the proposal Tuesday during a discussion on government's role in cybersecurity sponsored by the Center for Strategic and International Studies in Washington, D.C. Putnam warned IT company leaders, however, that any private sector efforts to build consensus on cybersecurity best practices may be washed aside by Congress if there is a major cyberattack on U.S. infrastructure.

Any one of 1,000 cyberattack scenarios -- from an attack that takes out part of the power grid to an attack that causes the dams to open on a major river -- could prompt Congress to act, Putnam said.

"The bottom-line foundation that's driving our action on this issue is that Congress makes very poor decisions in the wake of a disaster," he said. "If the industry doesn't get serious about being proactive and putting in place a cybersecurity plan that works now ... any one of those (scenarios) would lead to legislation from this body that would not be what the industry would sit down and write if they had the time."

Putnam listed examples of legislation passed quickly that later caused problems for private industry, including the Sarbanes-Oxley financial reporting law passed in 2002 after accounting scandals involving Enron Corp. and other companies. He urged tech leaders to support a cybersecurity working group of IT security experts he set up after deciding not to introduce his legislation.

Some opponents of the proposed legislation questioned why it applied only to public companies, and others questioned if such legislation is needed. "Some people don't think that the time has come," Putnam said. "My response to that is the time will at a time of someone else's choosing in a disastrous situation."

But IT industry representatives said they opposed most government cybersecurity mandates on private industry, including the Putnam proposal, during the discussion on the government's role in cybersecurity. Private industry should soon come up with a set of best practices, said Greg Garcia, vice president of information security policy and programs at the Information Technology Association of America, an industry trade group based in Arlington, Virginia.

Cybersecurity has only been a major push in the U.S. government and many private industries since denial of service attacks on major Web sites in 2000, and since then, the IT sector has suffered through budget cuts after the dot-com bust, Garcia said.

"I want to just step back and say, 'We're getting there'," Garcia said. "(Cybersecurity) takes time, it is hard, and it is complicated. Legislation is not the answer now ... but we're glad for (Putnam) stimulating our thinking."