Congressman Puts Cybersecurity Plan on Hold
Date: November 05, 2003
A congressional plan to require publicly traded companies to get computer security audits will be put on hold while technology businesses try to come up with a proposal of their own.
Rep. Adam Putnam (R-Fla.), chairman of a House technology subcommittee, said he will postpone plans to introduce his bill and wait about 90 days to see what kind of alternative the business community proposes.
Putnam said the bill is modeled after mandatory disclosures that businesses had to provide to the Securities and Exchange Commission in 1999 as part of an effort to quash the so-called "Y2K bug." In this case, it would require publicly traded corporations to show the SEC that they conducted a professional computer security audit. There are no similar bills in the Senate.
"I think it's fair to say there's been quite a bit of concern about whether the SEC is the appropriate oversight body for a proposal that deals with computer security," said Putnam, who is the top Republican congressman on the Government Reform Committee dealing with cybersecurity. "That's a legitimate concern, and I've decided not to introduce the legislation until I've given this working group an opportunity to pull something else together."
Putnam said he will convene a cybersecurity working group on Wednesday that will include several business representatives. He declined to name members of the group, but several business lobbying groups confirmed they will be at the meeting, including representatives of the Business Software Alliance (BSA), the U.S. Chamber of Commerce, the Information Technology Association of America (ITAA) and TechNet.
"What Representative Putnam is asking us to do is to come up with a set of solutions that raise the issue of security much higher on the corporate agenda without creating burdensome new regulations," said ITAA President Harris Miller.
The push to get the nation's publicly traded companies to disclose their cybersecurity efforts to the SEC comes as more computer worms and viruses spread throughout the Internet and online crime increases, costing the business community at least $202 million last year alone, according to statistics from the FBI.
Businesses often keep cybercrime incidents under wraps and are generally unwilling to publicize any computer security measures, even with law enforcement. According to an April study by the Computer Security Institute and the FBI, just 30 percent of companies that experienced cyberattacks last year reported such incidents to authorities.
The business community is also generally opposed to government-sponsored requirements on cybersecurity, whether from Congress or the White House. The Bush administration's national cybersecurity plan makes recommendations for people and businesses outside the government but has no requirements except for federal agencies.
Mario Correa, the BSA's director of software policy, said that chief executives are beginning to understand that Congress will act if they don't treat cybersecurity more importantly.
"I think that both the tech- and non-tech companies realize they need to step up to the plate on this one or else Congress will at some point be put in a position where they are forced to regulate by virtue of a serious cyber incident taking place," Correa said.
Putnam said that even after the working group formulates a proposal, some federal legislation may be needed, if only to codify the industry's ideas. He warned that a weak proposal could lead to more stringent legislation.
"If there is a major cyber attack or if the loss of power this year in the Northeast is found to be directly related to a virus or unpatched computer there will be major legislation that takes a much more aggressive stance than what I've taken and they're not going to be able to say 'boo' about it," Putnam said. "So it behooves them to get in on the front end of this rather than being run over by the next crisis."
^macro[showdigestcomments;^uri;Congressman Puts Cybersecurity Plan on Hold]