Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISN] Congress considers cybersecurity legislation
From: InfoSec News (isnc4i.org)
Date: Fri Sep 05 2003 - 02:05:36 CDT
By Grant Gross
IDG News Service
As the U.S. Congress reconvenes this week after a month-long break,
legislation imposing cybersecurity requirements on private industry,
including a proposal that would require public companies to report
their cybersecurity efforts, may be on the way.
No bill has been introduced yet, but one proposal being considered
would require companies to fill out a cybersecurity checklist in their
filings with the U.S. Securities and Exchange Commission.
Representative Adam Putnam, chairman of the House Government Reform
Committee's Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census, will consider introducing
such a bill late this year, according to Bob Dix, the subcommittee's
While antispam legislation will continue to be the major technology
focus in Congress this fall, Putnam's subcommittee is looking at the
"pluses and minuses" of a cybersecurity reporting requirement, similar
to SEC accounting reporting requirements mandated in the
Sarbanes-Oxley Act of 2002, Dix said.
Such a law would raise awareness of cybersecurity issues above the CIO
level to CEOs, while likely avoiding specific cybersecurity
requirements that may not fit all businesses, said Daniel Burton, vice
president of government affairs for security vendor Entrust.
"It does not mandate you must do X, which we all realize is a false
start," Burton said of an SEC cybersecurity reporting requirement.
"Different companies have different security needs and different
risks. So it's impossible to set up a mandate for everyone."
Stockholders and boards of directors could then judge for themselves
whether a company is adequately dealing with cybersecurity, Burton
said. "Everyone from the board level on down is really going to be
focused on what (the cybersecurity reports) are saying," he added.
The bill Putnam is considering wouldn't require companies to lay out
specifics about their cybersecurity efforts, Dix said. Instead, it
could take the form of a checklist, asking such questions as, "Do you
have an up-to-date IT assets list?"
The bill would be intended to raise cybersecurity awareness among
top-level executives at companies, Dix added.
If such a bill is introduced, the subcommittee would expect some
opposition, Dix said. "My guess is there will be some who say anything
that the government proposes is a great burden," he said.
But Congress may feel the need to act on cybersecurity legislation if
more viruses or worms are unleashed onto the Internet, said Robert
Housman, a lawyer in the homeland security practice of the law firm
Bracewell & Patterson LLP in Washington, D.C. In the past month, the
Sobig and Blaster worms infected computers worldwide, causing millions
of dollars in damage, and Congress may be compelled to take some
action, Housman predicted.
"There are a number of things that are working together that are going
to result in some form of legislation on cybersecurity," Housman said.
In addition to viruses and worms, the number of attacks on company
networks continue to climb, Housman said.
"On top of all that, there is a perception, right or wrong, among a
lot of the regulators and congressional members I've talked to, that
not enough is happening on the cyber front, that companies still
remain vulnerable," Housman added. "Because of that, there is a
growing impetus to legislate or regulate."
Legislation headed toward incentives or reporting requirements may be
more well received by industry than a list of must-do actions, Housman
said. "If we have (another) cyber incident, who knows what will
happen?" he said. "I have to think that sooner or later, someone is
going to cause fairly significant dislocation/chaos. If that happens,
all bets go off."
Housman expects to see some sort of cybersecurity legislation getting
serious attention in Congress this year. A reporting requirement, like
one Putnam's subcommittee is considering, would hold companies
accountable with their cybersecurity efforts, he added. But such a
requirement, if it also includes reporting of penetration attempts,
could make investors and executives nervous, Housman said.
"If you run a major business ... you're getting attempts to break into
your system on a fairly regular basis," Housman said. "When you start
having to report those numbers, if that's one of the things (the
legislation) does, wow, that could make some of your shareholders a
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.