[ISN] Congress considers cybersecurity legislation

From: InfoSec News (isnat_private)
Date: Fri Sep 05 2003 - 00:05:36 PDT

  • Next message: InfoSec News: "[ISN] In Computer Security, a Bigger Reason to Squirm"

    By Grant Gross
    IDG News Service
    As the U.S. Congress reconvenes this week after a month-long break,
    legislation imposing cybersecurity requirements on private industry,
    including a proposal that would require public companies to report
    their cybersecurity efforts, may be on the way.
    No bill has been introduced yet, but one proposal being considered
    would require companies to fill out a cybersecurity checklist in their
    filings with the U.S. Securities and Exchange Commission.  
    Representative Adam Putnam, chairman of the House Government Reform
    Committee's Subcommittee on Technology, Information Policy,
    Intergovernmental Relations and the Census, will consider introducing
    such a bill late this year, according to Bob Dix, the subcommittee's
    staff director.
    While antispam legislation will continue to be the major technology
    focus in Congress this fall, Putnam's subcommittee is looking at the
    "pluses and minuses" of a cybersecurity reporting requirement, similar
    to SEC accounting reporting requirements mandated in the
    Sarbanes-Oxley Act of 2002, Dix said.
    Such a law would raise awareness of cybersecurity issues above the CIO
    level to CEOs, while likely avoiding specific cybersecurity
    requirements that may not fit all businesses, said Daniel Burton, vice
    president of government affairs for security vendor Entrust.
    "It does not mandate you must do X, which we all realize is a false
    start," Burton said of an SEC cybersecurity reporting requirement.  
    "Different companies have different security needs and different
    risks. So it's impossible to set up a mandate for everyone."
    Stockholders and boards of directors could then judge for themselves
    whether a company is adequately dealing with cybersecurity, Burton
    said. "Everyone from the board level on down is really going to be
    focused on what (the cybersecurity reports) are saying," he added.
    The bill Putnam is considering wouldn't require companies to lay out
    specifics about their cybersecurity efforts, Dix said. Instead, it
    could take the form of a checklist, asking such questions as, "Do you
    have an up-to-date IT assets list?"
    The bill would be intended to raise cybersecurity awareness among
    top-level executives at companies, Dix added.
    If such a bill is introduced, the subcommittee would expect some
    opposition, Dix said. "My guess is there will be some who say anything
    that the government proposes is a great burden," he said.
    But Congress may feel the need to act on cybersecurity legislation if
    more viruses or worms are unleashed onto the Internet, said Robert
    Housman, a lawyer in the homeland security practice of the law firm
    Bracewell & Patterson LLP in Washington, D.C. In the past month, the
    Sobig and Blaster worms infected computers worldwide, causing millions
    of dollars in damage, and Congress may be compelled to take some
    action, Housman predicted.
    "There are a number of things that are working together that are going
    to result in some form of legislation on cybersecurity," Housman said.
    In addition to viruses and worms, the number of attacks on company
    networks continue to climb, Housman said.
    "On top of all that, there is a perception, right or wrong, among a
    lot of the regulators and congressional members I've talked to, that
    not enough is happening on the cyber front, that companies still
    remain vulnerable," Housman added. "Because of that, there is a
    growing impetus to legislate or regulate."
    Legislation headed toward incentives or reporting requirements may be
    more well received by industry than a list of must-do actions, Housman
    said. "If we have (another) cyber incident, who knows what will
    happen?" he said. "I have to think that sooner or later, someone is
    going to cause fairly significant dislocation/chaos. If that happens,
    all bets go off."
    Housman expects to see some sort of cybersecurity legislation getting
    serious attention in Congress this year. A reporting requirement, like
    one Putnam's subcommittee is considering, would hold companies
    accountable with their cybersecurity efforts, he added. But such a
    requirement, if it also includes reporting of penetration attempts,
    could make investors and executives nervous, Housman said.
    "If you run a major business ... you're getting attempts to break into
    your system on a fairly regular basis," Housman said. "When you start
    having to report those numbers, if that's one of the things (the
    legislation) does, wow, that could make some of your shareholders a
    little queasy."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 05 2003 - 03:17:31 PDT