Despite a significant outreach effort by the Obama administration to garner industry input into a new cyber security directive that was issued this week that would create voluntary practices and standards that the private sector could employ, or not, against cyber threats, a key business group remains opposed to the Executive Order.
The United States Chamber of Commerce, which last year opposed a Senate cyber bill that called for the creation of minimum security standards and practices that could be voluntarily adopted by the private sector, said the administration’s Executive Order is “unnecessary.”
Ann Beauchesne, vice president of National Security and Emergency Preparedness for the chamber, said in a statement that her organization “opposes the expansion or creation of new regulatory regimes.” She added that “The chamber also urges the administration to signal its support for industry-backed information-sharing legislation, full liability protections, and other narrowly tailored measures to help businesses improve the protection and resilience of their information systems.”
Beauchesne’s comments are essentially the same as those she made last month on the chamber’s website ahead of the expected release of the order.
The Executive Order, which was issued recently, directs that the federal government share classified and unclassified cyber threat information with select U.S. private sector entities, but it can’t mandate that the private sector share similar information with the government or other companies. And the directive can’t offer liability protections to industry. Only congressional legislation can facilitate the multi-way information sharing and the liability protections.
While the Chamber of Commerce is opposed to the executive action, other business groups aren’t. The Professional Services Council (PSC), which represents government services contractors, said the directive is a step in the right direction.
“Moving us toward a standardized cyber security framework and bilateral risk sharing between the government and private sector will make government and industry systems safer from a cyber attack,” Alan Chvotkin, executive vice president of the PSC, said in a statement. He also said that Congress needs to act to provide liability protections for industry to share information with the government.
The Information Technology Industry Council (ITIC), which advocates for technology companies, praised the Executive Order for citing the need to leverage public-private partnerships and for creating a framework of consensus-based standards and practices that can be voluntarily employed by industry.
However, Internet Security Alliance head Larry Clinton sees a “mixed bag” in the new cyber directive, adding that its success comes down to implementation.
On the one hand, Clinton said in a statement that “If the administration truly engages the private sector in developing an economically sustainable system to promote greater cyber security, this could be a game changing moment.” He said that under the expanded cyber threat sharing program, called the Enhanced Cybersecurity Services program, companies that qualify to receive this information will not only be smarter about the threats they face but may be able to find ways to improve the security of the products they sell, which is good for business and boosts security overall.
On the other hand, Clinton is concerned that the Executive Order’s identification of voluntary standards could become mandatory. He warned that voluntary approach to standards adoption could be a “stalking horse for an antiquated regulatory model focused on growing federal authority over private systems, which would neither pass in Congress nor work to create a sustainably secure cyber system if it did pass.”
The Intelligence and National Security Alliance, which includes membership in government and the private sector, said it “applauds” the administration’s focus on aligning the government’s existing authorities “to enable a multi-tiered approach to further protect our nation’s critical cyber infrastructure.” The association’s Cyber Council Chair Terry Roberts said INSA will facilitate discussion and debate toward “ground-breaking cyber legislation.”