Thank you for prioritizing cybersecurity as part of the legislative agenda in 2012. The growing cyber-threat to our economic and national security is alarming and calls for intelligent public and private sector action.
Management of cybersecurity risks is a shared responsibility that requires close public-private collaboration. Toward those ends, Business Roundtable stands ready to work with you and your colleagues in the Senate as well as with the Administration to advance legislation consistent with our policy statement, Mission Critical: A Public-Private Strategy for Effective Cybersecurity (Mission Critical). Business Roundtable believes legislation that promotes the rapid delivery of strategic threat information and technical support between the government and the private sector will be the most effective solution. Business Roundtable’s Mission Critical policy statement recognizes the need for a more modern, flexible and collaborative approach for safeguarding America’s economic and national security assets. Mission Critical urges a sophisticated management framework for information sharing free of prescriptive and burdensome regulatory requirements and reinvigorates our commitment to enhancing security and collaborating with the government.
As you know, in April 2012, the House of Representatives passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA). In December 2011, Business Roundtable endorsed CISPA as an effective legislative strategy and framework for delivering more profound levels of public and private sector cybersecurity.
Business Roundtable is encouraged by provisions in S. 3342, SECURE IT Act, which facilitate strategic threat information sharing, deter and combat cybercrime through global cooperation, and expand cybersecurity educational opportunities for attracting and training a world-class cyber workforce.
However, we believe further dialogue is required on provisions in S. 3414, the Revised Cybersecurity Act of 2012. As currently constructed, S. 3414 assigns broad new regulatory authorities to current federal agencies with responsibilities to regulate and to sector coordinating councils for sectors that are not regulated, and requires burdensome and ineffective “check-the-box” security approaches over sophisticated management of shared cyber risks. S. 3414 would lead to static, prescriptive regulations that do not address dynamic cybersecurity risks and would force companies to shift scarce resources from security to compliance. In our judgment, more research and analysis needs to be performed before Congress gives broad regulatory authority to any government agency or interagency group.
We are committed to assisting you with the creation and passage of the most effective cybersecurity legislation. If the nation is to persevere over our adversaries, the public and private sectors must work collaboratively to develop and implement policies that promote innovation and safeguard America from global cybersecurity risks. Thank you for your attention to this issue.
President and Chief Executive Officer
Chair, Information and Technology Committee
C: Senator Richard Burr
Senator Thomas Carper
Senator Saxby Chambliss
Senator Daniel Coats
Senator Susan Collins
Senator Dianne Feinstein
Senator Chuck Grassley
Senator Kay Bailey Hutchison
Senator Ron Johnson
Senator Joseph Lieberman
Senator John McCain
Senator Lisa Murkowski
Senator Jay Rockefeller