Rockefeller: Fortune 500 companies back voluntary cybersecurity standards

Leading U.S. companies will support a voluntary program enabling the government and industry to develop a set of cybersecurity best practices, according to a memo from Senate Commerce Committee Chairman Jay Rockefeller (D-W. Va.).

The report released by Rockefeller’s staff on Wednesday conflicts with claims raised last year by the U.S. Chamber of Commerce that establishing the voluntary standards was opposed by business and could be a backdoor to new burdensome regulations.

{mosads}The release of the report comes after Rockefeller sent letters to every CEO of Fortune’s top 500 companies last fall asking them to outline what cybersecurity measures they have in place to protect their computer systems and to state their concerns with a sweeping cybersecurity bill that failed to pass the Senate last year. Rockefeller, a co-sponsor of that bill, sent letters to Amazon, Google, Cisco and Apple, among other companies.

The memo says that many companies “supported the aims” of a voluntary program led by the government that would develop cybersecurity best practices with industry, which was the key feature of the Senate bill last year. The U.S. Chamber unleashed a fierce lobbying campaign against the bill and argued that the voluntary program could lead to the creation of new government regulations that industry must follow.

In the memo, Rockefeller’s Commerce Committee staff said the company responses show that many of them don’t share the U.S. Chamber’s concerns about the voluntary program. The staff memo took a critical view of the Chamber’s fight against the Senate cybersecurity bill and raised questions about their tough opposition to the measure last year.

“Many companies supported an increased government role and many supported the voluntary federal program envisioned in the Cybersecurity Act of 2012,” the memo reads.

“Our review of the companies’ answers to these questions shows that the Chamber of Commerce’s vehement opposition to the legislation was not shared by many companies in the private sector,” the memo adds. “Many companies provided support for provisions in the legislation and, when they raised concerns, they were offered in a thoughtful, constructive manner.”

Around 300 companies responded to Rockefeller’s letter. The staff memo did not name any of the companies that responded to the letter and only described the companies in general terms, such as a “global financial company” or an “energy company.”

“Companies understand that the cyber threats we face are real and they understand that the federal government must play an important role in the nation’s cybersecurity moving forward,” Rockefeller said in a statement. “The companies’ responses will be a great resource as we refine much-needed cybersecurity legislation to improve and deepen the collaboration between our government and private sector.”

The Cybersecurity Act failed to pass the Senate twice last year after it faced opposition from GOP senators and the U.S. Chamber. They argued that the voluntary program would saddle industry with burdensome regulations and add another layer of bureaucracy to existing security structures.

In their responses to Rockefeller, many companies did raise concerns about the creation of new mandatory cybersecurity requirements or rules that may hinder their ability to address cyber incidents. Financial and energy-sector companies said they were concerned that new cybersecurity rules would disrupt the existing relationships they have with regulators, the memo said.

“Very few companies” expressed outright opposition to the bill, in which critical-infrastructure operators would work with the government to develop cybersecurity best practices in exchange for incentives, the memo said. Meanwhile, “only a subset” of companies said their positions were in line with the Chamber.

The Chamber of Commerce backed cybersecurity legislation last year that focused on improving information sharing about cyber threats and argued this was the best method to protect the nation’s critical infrastructure from a crippling cyberattack. The staff memo said several companies voiced support for legislation that would increase information sharing about cyber threats between the government and industry.

“Nearly every company that provided a thorough response expressed support for more robust, two-way cyber threat information sharing, with greater access to security clearances to ease the process,” the memo said.

In a response to the memo’s release, the Chamber said it has worked for more than three years with its members on discussing the best path forward for cybersecurity legislation and it opposes new government cybersecurity standards.

“Voluntary standards sound great in theory, but the devil is in the details,” Ann Beauchesne, the Chamber’s vice president of national security and emergency preparedness, said in a statement. “Whether a new cybersecurity program is labeled regulatory or ‘voluntary,’ the fact is government officials will have the final word on the standards and practices that industry must adopt, which the Chamber opposes.”

Rockefeller plans to continue working on cybersecurity legislation this year. Last week Rockefeller and a group of leading Senate Democrats said enacting legislation would be a priority this year and introduced a resolution stating that cyberattacks are one of the most serious threats facing the U.S.

This story was last updated at 11:45 a.m.