Posted on 27 May 2011
The core of a new White House proposal for protecting America's computer systems from cyberattacks is seen as "regulatory overreach" by the U.S. Chamber of Commerce.
The criticism comes as a blow to the White House, where officials thought they had secured the influential business group's support. And the Chamber's stance could threaten the prospects for the administration's approach, cybersecurity specialists said.
"You need the Chamber to be supportive," said James Lewis of the Center for Strategic and International Studies, who advised the administration on the issue. White House officials "thought they had gotten a fair degree of support from the Chamber and others."
The Chamber issued a press release after the White House's plan was released last week, welcoming the proposal. But Chamber officials say they have found significant areas of concern, worries expressed in an internal draft position paper reviewed by The Wall Street Journal.
"The draft may be tough, but we are trying to be responsible and engage policy makers," a Chamber official said. "It's reflecting our concerns [about] potential regulation as we see them."
The White House and Pentagon have zeroed in on protecting crucial infrastructure from cyberattacks because so many functions crucial to American life, such as the electric grid, Wall Street, communications and transportation systems, are increasingly vulnerable due to their reliance on the Internet.
U.S. intelligence officers worry that cyberattackers could break into computer systems to crash subway trains, destroy nuclear reactors or disrupt financial markets, among other tactics. Already, U.S. officials have found cyberspies snooping around the nation's electric grid.
The White House plan had its roots in an outline drawn up by Senate Republicans, who wanted a "flexible business-friendly" system, said Mr. Lewis of the Center for Strategic and International Studies, adding that companies haven't on their own instituted sufficient computer security measures.
The Chamber's main complaint is that the White House plan would require certain companies running the most-crucial infrastructure to submit to more rigorous outside oversight of their cybersecurity practices.
Under the president's proposal, the Department of Homeland Security and industry representatives would identify the companies most vital to U.S. crucial infrastructure. Those companies would develop plans to address cyberthreats, and the plans would be reviewed by an outside auditor. In some cases, the companies would have to certify to the Securities and Exchange Commission that the plans were adequate.
In its internal document, the Chamber said this approach would create new regulations. "Layering new regulations on critical infrastructure will harm public-private partnerships, cost industry substantial sums, and not necessarily improve national security," according to the document. The criteria used to decide which companies would have to comply with more rigorous oversight, the Chamber says, "is incredibly broad." Further, it says, requiring companies to comply with a third-party assessment would be "costly and time consuming, particularly for small businesses."
Homeland Security and other agencies could recommend improvements in company plans they found lacking. A summary of the plans would be made public.
Publicizing cybersecurity assessments would be "counterproductive to good security," the Chamber document said.
The Chamber opposed another requirement to notify Homeland Security of "any significant cybersecurity incident." Such a mandate, the Chamber said, would establish a "very heavy" burden on business.
The Chamber also objects to the White House's proposal to factor cybersecurity into the awarding of federal contracts, saying such "prescriptive mandates" will lead to "artificially chosen technology winners and losers" in federal contracting.
Further, the Chamber concludes, new procurement rules on cybersecurity would encourage foreign countries to establish their own cybersecurity rules, which could be used to shut U.S. companies out of foreign markets.
"The private sector shares responsibility for cybersecurity, and I'm surprised that they seem to want to take a pass on such an important issue," said Sen. Jay Rockefeller (D., W.Va.), chairman of the Senate commerce committee, who co-sponsored legislation similar to the Obama administration proposal.
The White House has been aggressively courting business support of its cybersecurity measures. White House cybersecurity chief Howard Schmidt called the president of the Chamber the morning before the plan was released to give him advance notice of the proposal's specifics. Some cybersecurity experts have criticized the White House proposal as too accommodating to industry demands.
"Our proposal strikes a critical balance between strengthening security, preserving privacy and civil-liberties protections, and fostering continued economic growth," said White House spokesman Nicholas Shapiro. "The Chamber's draft document certainly misinterprets some of the administration's thinking, and we are confident that those misinterpretations will be fixed as we continue ongoing conversations with the Chamber on this important issue."
The Chamber's draft paper surprised cybersecurity specialists and the White House, in part, because of the group's press release.
In it, Ann Beauchesne, the Chamber's vice president of national security and emergency preparedness, called the proposal "the latest in a series of important actions" by the White House on cybersecurity. The statement also said the Chamber was reviewing the proposal, noting that "we may not agree on every aspect of the proposal."