The White House and the U.S. Chamber of Commerce dug in to opposing positions on cybersecurity legislation yesterday as federal officials escalate warnings about hacker threats to the nation.
An executive of the Chamber of Commerce, the largest U.S. business lobby, backed a voluntary system to let the government and industry share cyber threat information during a panel discussion at the National Press Club in Washington.
White House Cybersecurity Coordinator Michael Daniel stood behind the goal of President Barack Obama’s administration to create cybersecurity standards for companies that operate power grids, chemical plants and other assets considered critical to U.S. national and economic security.
“We want to ensure that those companies and owners of those assets are actually bringing their cybersecurity up to a sufficient level,” Daniel said.
There are pieces of infrastructure that, if crippled by a cyber attack, could damage the country and the economy, Daniel said.
Senate Republicans in August blocked a cybersecurity bill backed by Obama that would have set voluntary cybersecurity standards for privately-owned critical systems. The bill also would have encouraged companies and government to share information on cyber threats.
Republicans and the Chamber of Commerce opposed the measure, saying standards would be a back door to government regulation of companies and wouldn’t keep pace with evolving threats in cyberspace.
“Whether you want to call it light touch, voluntary, in its implementation we still believe it would be more of a regulatory approach,” Ann Beauchesne, the chamber’s vice president of national security and emergency preparedness, said at the panel discussion. “We just don’t see that as the right tack to take.”
The chamber supports a measure focused solely on information sharing that passed the Republican-controlled House of Representatives in April, Beauchesne said. Minimum standards for cybersecurity should be developed by industry, not government, and should vary for different sectors, she said.
Obama’s administration may issue an executive order to accomplish some of the goals of the bill it supports, while saying it can take only limited action on its own and urging lawmakers to act. Senate Majority Leader Harry Reid, a Nevada Democrat, has pledged to bring the Obama-backed measure to the Senate floor again during a post-election lame-duck session of Congress.
The Obama-backed bill’s lead sponsors are Senators Joe Lieberman, a Connecticut independent, and Susan Collins, a Maine Republican. Lieberman, who isn’t seeking re-election, is chairman of the Senate Homeland Security and Governmental Affairs Committee. Collins is the panel’s top Republican.
U.S. Defense Secretary Leon Panetta in a speech this month faulted Congress for failing to act on comprehensive cybersecurity legislation, saying computer assaults by other countries or extremist groups could be as destructive as the Sept. 11 terrorist attacks.
Panetta pointed to recent cyber attacks, including a series of distributed denial-of-service assaults on the websites of major U.S. banks and an attack on the computer network of Saudi Arabian Oil Co., known as Saudi Aramco, as “significant escalation” of the threat.
Referring to news reports that the Saudi Aramco attack was carried out by a company employee, Joseph Rigby, chief executive officer of Pepco Holdings Inc., said internal threats are “very high on our list of awareness and concern.”
“People that have their hands on or have access to the infrastructure, we’re doing background checks, we’re doing security checks, things like that, but people’s personalities change, what’s happening in their lives,” Rigby said. “You have to be very, very diligent around what your people are doing.”
Daniel, the White House cybersecurity coordinator, and other administration officials have been meeting with lawmakers and industry representatives about a possible executive order. Republican senators including John McCain of Arizona and Kay Bailey Hutchison of Texas oppose the White House taking unilateral action, saying the issue should be handled in Congress.
An executive order probably won’t be issued before the November presidential election, Daniel said earlier this week. He declined to comment on timing beyond that.
“Traditionally in security, societies assign that responsibility to their government,” Jane Holl Lute, deputy secretary of homeland security, said at the panel discussion. “In cyberspace there have been no assignments yet made.”