Go to Advanced Search

Computerworld Home


You may retrieve this story by entering QuickLink# 41061

> Return to story

Cybersecurity legislation may go to Congress
One proposal would require public companies to report their cybersecurity efforts

News Story by Grant Gross

  SEPTEMBER 04, 2003 (IDG NEWS SERVICE) - WASHINGTON -- As the U.S. Congress reconvenes this week after a monthlong break, legislation imposing cybersecurity requirements on private industry, including a proposal that would require public companies to report their cybersecurity efforts, may be on the way.

One proposal being considered would require businesses to fill out a cybersecurity checklist in their filings with the U.S. Securities and Exchange Commission. Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, will consider introducing such a bill late this year, according to Bob Dix, the subcommittee's staff director.

While antispam legislation will continue to be the major technology focus in Congress this fall, Putnam's subcommittee is looking at the "pluses and minuses" of a cybersecurity reporting requirement, similar to SEC accounting reporting requirements mandated in the Sarbanes-Oxley Act of 2002, Dix said.

Such a law would raise awareness of cybersecurity issues among top-level executives at companies while likely avoiding specific cybersecurity requirements that may not fit all businesses, said Daniel Burton, vice president of government affairs for Addison, Texas-based security vendor Entrust Inc.

"It does not mandate 'You must do x,' which we all realize is a false start," Burton said of an SEC cybersecurity reporting requirement. "Different companies have different security needs and different risks. So it's impossible to set up a mandate for everyone."

Stockholders and boards of directors could then judge for themselves whether a company is adequately dealing with cybersecurity, Burton said. "Everyone from the board level on down is really going to be focused on what [the cybersecurity reports] are saying," he added.

The bill Putnam is considering wouldn't require companies to lay out specifics about their cybersecurity efforts, Dix said. Instead, it could take the form of a checklist, asking such questions as, "Do you have an up-to-date IT assets list?"

If such a bill is introduced, the subcommittee would expect some opposition, Dix said. "My guess is there will be some who say anything that the government proposes is a great burden," he said.

But Congress may feel the need to act on cybersecurity legislation if more viruses or worms are unleashed on the Internet, said Robert Housman, a lawyer in the homeland security practice of the law firm Bracewell & Patterson LLP in Washington. In the past month, the Sobig and Blaster worms infected computers worldwide, causing millions of dollars in damage, and Congress may be compelled to take some action, Housman said.

"There are a number of things that are working together that are going to result in some form of legislation on cybersecurity," Housman said.

In addition to viruses and worms, the number of attacks on company networks continues to climb, Housman said.

"On top of all that, there is a perception, right or wrong, among a lot of the regulators and congressional members I've talked to that not enough is happening on the cyber front, that companies still remain vulnerable," Housman added. "Because of that, there is a growing impetus to legislate or regulate."

Legislation headed toward incentives or reporting requirements may be better received by industry than a list of must-do actions, Housman said. "If we have [another] cyber incident, who knows what will happen?" he said. "I have to think that sooner or later, someone is going to cause fairly significant dislocation/chaos. If that happens, all bets go off."

Housman expects some sort of cybersecurity legislation to receive serious attention in Congress this year. A reporting requirement, like the one Putnam's subcommittee is considering, would hold companies accountable with their cybersecurity efforts, he added. But such a requirement, if it also includes reporting of penetration attempts, could make investors and executives nervous, Housman said.

"If you run a major business ... you're getting attempts to break into your system on a fairly regular basis," Housman said. "When you start having to report those numbers, if that's one of the things [the legislation] does -- wow, that could make some of your shareholders a little queasy."

Watching Washington - Recent Headlines

> Regulating VoIP for Accessibility
> Tech training tax-credit bill introduced
> Database firm listed 120,000 'likely terrorists'
> Surge in phishing attacks prompts calls for change

View our Watching Washington special coverage page

Computerworld coverage of government policies and legislation that affect IT.

Reprinted with permission from

For more news from IDG visit IDG.net
Story copyright 2003 International Data Group. All rights reserved.


Sponsored Links

Join the Microsoft®   Empower Program for ISVs today.

Register Today!   META Group Webcast 'Document Security: An Enterprise Imperative'on 20, 2004

Increase business productivity.   Nokia lets your team work faster and smarter. Download our white paper at nokiaforbusiness.com

IBM middleware for automation.   That's on demand business.

Financial HP Workstations at PC prices.   See May deals. Please refer PB323UA-FIN for great prices on the xw4100 and DU241U-FIN for xw6000 workstations.

Print Management:    A Business Imperative

Download the NEW White Paper on Integrating Disk Backup into Your SAN   Environment from ADIC(R)

Free Download   Magic Service Desk offers a Remedy Customer Success Story

Nearly a thousand internal and external websites   Hundreds of different file formats

Interested in Mobile Technologies?   Attend Mobile & Wireless World, May 24-27, Palm Desert, California!

Remedy. More than just Help Desk, Asset Management, Change Management, and SLA. Remedy.   Get More from a Free Whitepaper.

Tune in to   Microsoft(R) TechNet Webcasts.

Get tips & tools   from technology experts.

Microsoft   Get FREE Security Tools at microsoft.com/security/IT

Microsoft   Register now for a FREE Security Training Event

Need Power?   Learn more about HP Workstations

You already have the power -   - now Oracle Grid Computing makes it work.

Upgrade to the HP Compaq d530 series and trade in your old PCs for up to...   $250 cash back toward new HP purchases.

Failed transactions are a pain in the neck.   Don't let the neck be yours.

Top Business Continuity Priorities for 2004   -- Executive Survey from EnvoyWorldWide

Windows Server System.   See how Motorola is managing 65,000 desktops.

Achieve more with the new Microsoft Office System.   See how.

Business Intelligence Zone:   Focused content from Computerworld and a leading technology provider

Replace Rumba   Free web-based Rumba replacement software

Get the facts on Microsoft® Windows® and Linux   Click here.

About Us Contacts Editorial Calendar Help Desk Advertise Privacy Policy

Copyright © 2004 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.