Cybersecurity is on the 113th Congress’ agenda given recent developments in the U.S. Senate. Today Senator Rockefeller, Chairman of the Commerce Committee, released a staff memorandum presenting the responses his office received to his September 2012 letter regarding cybersecurity practices. The letter, which we discussed in a previous post, went to the CEOs of every Fortune 500 company and requested responses to eight questions regarding companies’ cybersecurity practices and concerns with federal legislation. To date, approximately 300 companies have responded, including over 80 percent of the Fortune 100, prompting the release of a memo summarizing the responses to date, as well as a table of selected quotes.
The staff memorandum first summarizes the companies’ responses regarding their current cybersecurity practices. All respondents report having developed internal cybersecurity practices, often based on existing legal requirements (such as HIPAA or the Energy Policy Act of 2005). Many companies relied on NIST guidance in developing their internal practices. And several companies noted their involvement in sector-specific agency programs (such as those run by the Department of Homeland Security for chemical facilities).
The staff memorandum, which is likely to inform future discussions of legislation, also describes the companies’ responses with respect to congressional action on cybersecurity. Most companies reportedly stated general support for some governmental involvement in cybersecurity, while noting more specific concerns about mandatory or duplicative measures.
Last week, Senator Rockefeller and other Senate Democrats introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 as a starting point for comprehensive cybersecurity legislation.
Senator Rockefeller’s report comes on the heels of recent reports of cyberattacks on US banks and federal savings associations, which prompted the Office of the Comptroller of the Currency (a bureau of the US Department of the Treasury) to release an information security alert in December 2012.
In the meantime, an Executive Order on cybersecurity is still widely expected to be issued soon. Key Senate Democrats supported President Obama’s issuance of an executive order after congressional efforts to pass cybersecurity legislation stalled in the summer of 2012. The executive order is expected to create a voluntary information sharing program, require NIST to create a cybersecurity framework, and support further sector-specific agency efforts to develop cybersecurity initiatives.
These developments are likely to inform and influence what is expected of corporate information security efforts across industries and thus continued monitoring is prudent.