/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsAndy Sullivan
WASHINGTON: U.S. businesses for years have urged the government to let them set computer-security standards of their own, but their inability to do so could now prompt Congress to step in, experts say.
Those who worry that regulation may stifle innovation say the business community may have already missed an opportunity to prove the government's help is not needed.
"The market is in a much better position to respond to this challenge ... but corporate America has not provided evidence across the board that they've taken this issue seriously enough to protect consumers," said Bob Dix, a lobbyist for Citadel Security Software Inc., who until last year handled cybersecurity for a congressional subcommittee.
The private sector is under scrutiny after a string of incidents at data brokers, retailers and other businesses exposed at least half a million U.S. citizens to identity theft.
The business community for years has argued that any government regulations would quickly become outdated in a rapidly changing field, and a 2003 Bush administration plan called on the private sector to set its own standards.
Working with the Homeland Security Department, an industry-led task force issued a set of guidelines in April 2004 that called for company chief executive to take direct responsibility for their computer systems.
One year later, only two companies have adopted the guidelines: Entrust Inc. and RSA Security Inc., whose chief executives co-chaired the task force.
Corporate lawyers warned that any public security promises could open the door for lawsuits in the wake of a security breach, said Entrust CEO Bill Connor.
"Clearly people would rather be risk-averse to the legal side than risk-averse to the hacking and breaching," he said.
The Department of Homeland Security is also to blame for not promoting the guidelines after they were released, Connor said. A department spokeswoman did not return a call seeking comment.
A separate effort that took place on Capitol Hill had similar results.
Florida Republican Rep. Adam Putnam proposed in 2003 that publicly traded companies should describe their computer-security efforts in their annual reports. In return for shelving that proposal, Putnam and Dix, his chief of staff, pressed businesses to come up with a plan of their own.
LIABILITY CONCERNS
But the U.S. Chamber of Commerce, software makers and others worried about legal liability made sure that the standards were so vague as to be meaningless, said several people involved in the effort.
"They were ... I want to use the word 'murdered,' but that's one size too big," said Alan Paller, who runs the SANS Institute, a cybersecurity training and research organization. "We had a long meeting where their entire effort was to change the word 'should' to 'could.'"
A Chamber of Commerce lobbyist acknowledged that the world's largest business organization didn't want the working group to come up with specific guidelines. Andrew Howell, the Chamber's vice president for homeland-security policy, said the actual standards-setting process would be best left to the American National Standards Institute.
A spokesman for the private standards-setting body said no cybersecurity efforts are currently underway.
Even so, businesses are making progress, said Amit Yoran, who oversaw cybersecurity at the Homeland Security Department until last October.
Until recently most companies were reluctant to even assess their security efforts, but "in today's environment, there's a much greater level of awareness at the CEO and board level," said Yoran, now an independent consultant.
Still, many observers expect Congress to step in. One bill introduced by Democratic Sens. Charles Schumer and Bill Nelson would require companies to take "reasonable steps" to protect customers' personal information and restrict how that information is handled.
Another proposal backed by many financial-services companies would impose similar requirements but also prevent individual lawsuits and tougher state laws, according to a lawyer familiar with the proposal.
"We saw this coming two years ago, and the chickens are coming home to roost," said Entrust lobbyist Dan Burton.