Trade groups outline cybersecurity bill concerns
Technology trade groups and a prominent high-tech watchdog are worried that recent tweaks to a broad cybersecurity bill introduced in April by Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, do not alleviate concerns about proposed government standard-setting powers, which they say could impede innovation.
The Business Software Alliance and TechAmerica, which represent Cisco Systems, IBM, Intel, Hewlett-Packard, Microsoft and more than 1,000 other firms, joined the Center for Democracy and Technology in urging Rockefeller's staff to alter language that would give the National Institute of Standards and Technology a major role in how IT systems are designed.
The original bill called for NIST to formulate standards for measuring software security for IT components commonly used in critical networks and create common configurations of security settings for operating system software. Under that version, the Commerce Department, which houses NIST, would be required to enforce manufacturers' compliance with those standards.
A retooled draft softens the language by requiring of NIST "measurable and auditable" risk metrics and best practices. Each operator of a critical network would have to report the results of audits that evaluate compliance, which critics believe would allow NIST to impose software and network standards on companies. CDT senior counsel Greg Nojeim said today the text could result in guidance that is "much too granular."
BSA executives went further, arguing Monday that software firms doing global business cannot operate under country-specific rules. BSA lobbyist Katherine McGuire pointed to China's threat to impose software requirements, which could effectively close off that market for some U.S. products. [changed from original]
A more attractive alternative is encouraging global standards that are developed by the IT industry, BSA Manager of Information Security Policy Franck Journoud said. He said that would stimulate innovation, which is critical to improving U.S. security since high-tech criminals are frequently a step ahead of their targets.
A Rockefeller spokeswoman said his staff has received extensive comment from industry and civil liberties groups and the final bill will benefit from the comments received.
BSA shared their concerns about the Rockefeller bill with aides for Senate Homeland Security and Governmental Affairs Chairman Joseph Lieberman, who plans to introduce cybersecurity legislation soon. During a Monday hearing on the topic, Lieberman also contemplated the creation by Congress of encryption standards for the private sector.