Next: Laws to Guard Cyberspace?

WASHINGTON, D.C. -- As Congress reconvenes this week after a monthlong break, legislation imposing cybersecurity policy on private industry, including a plan mandating public companies to report their cybersecurity efforts, may be on the way.

No bill has been introduced yet, but one proposal being considered would require companies to fill out a cybersecurity checklist when they file with the Securities and Exchange Commission. Representative Adam Putnam (R-Florida), chair of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, is considering introducing such a bill late this year, says Bob Dix, the subcommittee's staff director.

Antispam legislation continues to be the major technology focus in Congress this fall, Dix notes. But Putnam's subcommittee is also considering the "pluses and minuses" of a cybersecurity reporting requirement, similar to SEC accounting reporting requirements mandated in the Sarbanes-Oxley Act of 2002, Dix says.

Easier Approach

Such a law would get chief executive officers, not just chief information officers, thinking about cybersecurity issues. It also would avoid imposing blanket cybersecurity requirements that may not fit all businesses, says Daniel Burton, vice president of government affairs for security vendor Entrust.

"Different companies have different security needs and different risks. So it's impossible to set up a mandate for everyone," Burton says of a suggested SEC cybersecurity reporting requirement.

Stockholders and boards of directors could then judge whether a company is adequately dealing with cybersecurity, Burton says. "Everyone from the board level on down is really going to be focused on what [the cybersecurity reports] are saying."

The bill Putnam is considering wouldn't require companies to tell specifics of their cybersecurity efforts, Dix says. Instead, it could take the form of a checklist, asking such questions as "Do you have an up-to-date IT assets list?"

The bill would aim to raise cybersecurity awareness among top-level executives at companies, Dix adds.

If such a bill were introduced, the subcommittee would expect some opposition, Dix says. "My guess is, there will be some who say [that] anything the government proposes is a great burden," he says.

But Congress may be spurred to act on cybersecurity legislation if more high-profile viruses or worms appear, says Robert Housman, a lawyer in the homeland security practice of the law firm Bracewell & Patterson in Washington, D.C. In the past month, the Sobig and Blaster worms infected computers worldwide, causing millions of dollars in damage. Congress may be compelled to take action, Housman predicts.

"There are a number of things that are working together that are going to result in some form of legislation on cybersecurity," Housman says.

Other Security Concerns

Aside from viruses and worms, attacks on company networks continue to escalate, Housman says.

"On top of all that, there is a perception, right or wrong, among a lot of the regulators and congressional members I've talked to, that not enough is happening on the [cybersecurity] front, that companies still remain vulnerable," Housman adds. "Because of that, there is a growing impetus to legislate or regulate."

The tech industry may be more receptive to legislation involving incentives or reporting requirements than a list of orders, Housman says.

"If we have [another] cyber incident, who knows what will happen?" he says. "I have to think that sooner or later, someone is going to cause fairly significant dislocation [or] chaos. If that happens, all bets go off."

Housman still expects Congress to seriously consider some sort of cybersecurity legislation this year. A reporting requirement, like one Putnam's subcommittee may present, would hold companies accountable for their cybersecurity efforts, he notes. But such a requirement, if it also involves reporting penetration attempts, could make investors and executives nervous, Housman says.

"If you run a major business ... you're getting attempts to break into your system on a fairly regular basis," Housman says. "When you start having to report those numbers, if that's one of the things [the legislation] does ... wow, that could make some of your shareholders a little queasy."