According to a Senate
Commerce Committee Democratic staff analysis, "many" of the 300
Fortune 500 companies who responded to a congressional call for input on
cybersecurity legislation "support the aims of a voluntary federal program
for the development of cybersecurity best practices," so long as it remains
just that -- voluntary.
But that "voluntary" caveat has always been the
stumbling block to a compromise cybersecurity bill, so it is unclear how much
distance there is between that finding and the stances of ISPs and other
industry players in opposing Democratic legislation.
That is from a memo to committee chairman Jay Rockefeller
(D-W.Va.), who sent
letters to all 500 companies last fall asking for input on cybersecurity
legislation he supported that ultimately stalled in the face of primarily
Republican opposition to a voluntary best practices regime they feared would
become a government mandate.
In the letter, Rockefeller said he wanted to hear from the
companies about their views of cybersecurity -- "without the filter of
Beltway lobbyists." He says he is not sure that American companies are as
"intransigently opposed" to the cybersecurity legislation he favors
as the Chamber of Commerce, which pushed back hard against the Act, has
"Our review of the companies' answers to these
questions shows that the Chamber of Commerce's vehement opposition to the
legislation was not shared by many companies in the private sector," the
staffers said in the memo. The individual companies' responses were not
included, and there was no quantification of how many "many"
According to the staffers, "many companies supported an
increased government role and many supported the voluntary federal program
envisioned in the Cybersecurity Act of 2012 (the Democratic version of the bill
backed by Rockefeller). However, many companies also raised concerns about any
new federal program that would set mandatory cybersecurity requirements, create
obligations that would impact their ability to address cybersecurity issues in
a flexible manner, or duplicate efforts already underway."
"Companies understand that the cyber threats we face
are real and they understand that the federal government must play an important
role in the nation's cybersecurity moving forward," is how Sen.
Rockefeller read the responses. "The companies' responses will be a great
resource as we refine much-needed cybersecurity legislation to improve and
deepen the collaboration between our government and private sector."
Perhaps, but the answers also still appear to reflect the
same industry stance as during the debate when the Democratic bill failed to
pass. That stance was that ISPs and others recognized the need for
cybersecurity protections and even legislation (like that proposed by
Republicans}, but that it should focus on information sharing -- a point many
companies volunteered in their responses to Rockefeller, the staffers said,
even though he didn't ask. Those companies have also not been opposed in
principle to voluntary guidelines if there were some way to assure they did not
become "one-size-fits all" government mandates.