Two of the largest U.S. business-lobbying groups criticized a Senate cybersecurity bill aimed at shielding vital computer networks, saying the measure would burden companies with unneeded and costly regulation.
The bipartisan legislation introduced yesterday calls for the U.S. Homeland Security Department to identify systems critical to national and economic security and set security rules for overseeing companies and government agencies.
Lawmakers and regulators say rules are needed to fight increasingly sophisticated cyber attacks capable of disrupting power grids, banks and communications networks. Industry groups said the bill’s broad approach may raise costs for businesses and be too prescriptive, particularly for financial companies held to high security standards by regulators.
“If the end goal is to strengthen cybersecurity as we know it, why should we throw out what is working?” Peter Freeman, a vice president at the Washington-based Financial Services Roundtable representing Bank of America Corp. and JPMorgan Chase & Co., said yesterday. “Where existing structures have proven successful we shouldn’t replace them.”
The U.S. Chamber of Commerce, the nation’s biggest business lobby, opposes a new regulatory program overseeing vital systems and favors company incentives rather than rules to improve security, Bobby Maldonado, a spokesman, said by e-mail yesterday. The group agrees with seven Republican senators in urging lawmakers to delay consideration of the bill and hold hearings before a vote.
A Bloomberg Government study released Jan. 31 found that utilities, banks and other operators of critical networks would have to spend almost nine times more on computer defenses to achieve security capable of preventing 95 percent of attacks, an increase to $46.6 billion a year from about $5.3 billion.
The study, conducted by the Ponemon Institute LLC, a Traverse City, Michigan-based security-research firm, was based on interviews with technology managers at 124 companies and 48 government agencies.
The Senate Homeland Security and Governmental Affairs Committee scheduled a Feb. 16 hearing on the measure backed by Senators Joe Lieberman, a Connecticut Independent, and Susan Collins, a Maine Republican. Senate Majority Leader Harry Reid, a Nevada Democrat, has said he wants to bring the bill to the chamber’s floor for a vote as soon as possible.
Oracle Corp., a software and data-storage services supplier, and Cisco Systems Inc., a networking products provider, sent a letter yesterday supporting the bill to Reid, Lieberman, Collins and Senator Jay Rockefeller, a West Virginia Democrat. The legislation includes provisions that “will enhance the nation’s cybersecurity without interfering with the innovation and development processes of the American IT industry,” the companies said.
A letter expressing reservations about Reid’s plans for swift action on the measure by the full chamber was signed by Kay Bailey Hutchison of Texas, John McCain of Arizona, Charles Grassley of Iowa, Saxby Chambliss of Georgia, Lisa Murkowski of Alaska, Jeff Sessions of Alabama and Mike Enzi of Wyoming.
The push for comprehensive cybersecurity legislation has intensified following attacks last year on companies including New York-based Citigroup Inc., the third-largest U.S. bank by assets, and Bethesda, Maryland-based Lockheed Martin Corp., the world’s largest defense company.
“We are on the brink of what could be a calamity,” Rockefeller said in announcing the bill on the Senate floor. “A widespread cyber attack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago.”
Under the legislation, the Homeland Security Department would have the power to identify systems that may cause mass casualties or catastrophic economic damage when attacked. The agency would set regulations requiring operators of critical networks to improve security. Companies would have to show that their networks are secure or face penalties.
Other industry groups took a neutral approach to the bill.
The Senate legislation “is a careful and bipartisan approach” to protect critical systems “without forcing unnecessarily broad mandates on industry,” said Dan Varroney, acting president of TechAmerica, a Washington trade group whose members include Apple Inc., International Business Machines Corp. and Dell Inc.
He said his group seeks further changes to ensure the bill doesn’t impede industry’s “ability to continue to innovate and be flexible to respond to the evolving cyber threat landscape.”
The Edison Electric Institute, which represents investor-owned utilities including Southern Co. of Atlanta and Exelon Corp. of Chicago, hasn’t taken a position on the Senate bill, Dan Riedinger, a spokesman for the Washington-based industry group, said in a phone interview.
Dave Scanzoni, a spokesman for Duke Energy Corp., declined to comment on the legislation, saying his group supports a “uniform national approach to cybersecurity.”
The debate over cybersecurity legislation is unfolding amid increased concerns that U.S. networks are vulnerable to theft and sabotage. Hackers from China and Russia are pursuing American industrial secrets, jeopardizing an estimated $398 billion in U.S. research, according to a Nov. 3 report from the National Counterintelligence Executive, an advisory panel of senior U.S. security officials.
Companies with payroll and other corporate accounts lose about $1 billion a year because of hackers based mostly in Eastern Europe, according to Don Jackson of Dell SecureWorks. Hackers sell stolen credit-card data as little as $3.50 per card on underground bazaars, an investigation by Bloomberg News showed last year.
More than 80 U.S. law firms have been targeted by China-based hackers intent on acquiring their clients’ deal data to give Chinese companies an edge investments and negotiations, according to Mandiant Corp., an Alexandria, Virginia-based cybersecurity firm.
While disagreement exists on when hackers will disrupt critical U.S. networks, most authorities say it will occur within the next couple of years, James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies in Washington, told the House Energy and Commerce Communications and Technology Subcommittee during a Feb. 8 hearing.
The government and companies should work together to map out computer security deficiencies rather than impose a broad regulatory framework, Robert Dix, vice president of government affairs for Sunnyvale, California-based Juniper Networks Inc., a hardware and software provider, said in an interview Feb. 8.
“Let’s take the chewable bites,” said Dix, whose company makes computer hardware and software. “Let’s pass it, get traction and then build on it.”
The Senate bill is S. 2105.