Business Roundtable is an association of chief executive officers of leading U.S. companies working to promote a thriving economy and expanded opportunity for all Americans through sound public policy.
Cybersecurity threats from nation states and other well-funded, highly motivated actors present risks that neither the public nor the private sector can unilaterally address. Formidable criminals are systematically stealing intellectual property through cyber theft. Even more dangerous adversaries are developing tools and capabilities to disrupt critical services that support the world’s economy, security and public safety. Shared threats of this magnitude require unprecedented levels of public-private collaboration to successfully defend against them.
To that end, the single most important element of an effective cybersecurity policy is information sharing. Without timely and actionable information about threats, companies can only speculate about which risks are greatest. Effective information sharing is not only an exchange of threat information but also a robust set of trusted, well-structured and regularized policies and processes among the U.S. government, international allies and private-sector entities. Effective information sharing includes the two-way exchange of alerts, response actions, situational awareness and mitigation analysis.
However, instead of focusing on information sharing and collaborative risk management, government proposals misdirect scarce public and private-sector resources to compliance-based, check-the-box models. These proposals place the cart before the horse by calling for government creation of cybersecurity practices and standards before much-needed information sharing legislation is passed and implemented. Ultimately, these compliance-based solutions would fail to create an adaptive and collaborative structure that would allow the public and private sectors to advance risk management models capable of managing cybersecurity threats as they continue to evolve.
To effectively address the risks presented by cybersecurity threats, Business Roundtable has developed a cross-sector approach that can mature and strengthen over time and that will also improve the nation’s ability to identify gaps and measure progress. This approach — premised on our Mission Critical principles — calls for public and private-sector commitments covering:
- Information Sharing: We support legislation that creates robust, two-way information sharing, with appropriate legal and privacy protections, between government and the private sector to exchange the specific threat information that will allow both government and business to better secure the nation’s cyber assets and mitigate emerging threats in real time. The government must create a clear and concise legal framework for both private sector to private sector and private sector to public sector sharing, with appropriate liability, antitrust and freedom of information protections for those acting within the framework. All of the actions we propose depend on the advancement of information sharing and removal of current legal barriers.
- Threat-Informed Risk Management: Once cyber threat information is readily shared between the public and private sectors, it will be necessary to expand existing efforts to develop threat-informed risk management and mitigation methodologies. To accomplish threat-informed risk management, new policies must build on existing sector coordinating councils and government operations centers and must position senior public and private sector leaders to collaboratively oversee cybersecurity efforts. In addition, we call on government, using threat information and other intelligence, to increase law enforcement capabilities to disrupt, apprehend and prosecute cyber criminals.
- CEO Commitments to Cybersecurity: To support the objectives outlined above, the CEOs of Business Roundtable will invest in the infrastructure necessary to receive shared threat information and will develop the capabilities required to integrate cybersecurity threat and risk information into CEO risk management. We also recommend that boards of directors, as part of their risk oversight functions, continue to periodically review management’s business resiliency plans, including cybersecurity, and oversee risk assessment and risk management processes, including those applicable to cybersecurity.
We are committed to working with Congress and the Administration to achieve solutions that provide the public and private sectors with the intelligence and tools necessary to collaboratively confront sophisticated cybersecurity risks.