How Rockefeller's Selling His Cyber Bill

There are six cyber security bills in Congress now, but the one with the biggest chance of making it to the floor first is the Senate Commerce Committee's, authored by Jay Rockefeller and Olympia Snowe. The two want to trademark the developing arena of cyber law in the name of  commerce and industry, rather than security and warfare. One of the more interesting provisions of the Rockefeller-Snowe bill takes the form of a public-private partnership. When you hear that phrase used in government, it usually means that neither the private sector nor the public sector wants to take full responsibility for whatever it is they're partnering on, and hard goals often don't get met. The goal of the cyber legislation is simple with regard to business: companies that play critical roles in American commerce and national security must be as secure as possible. Rather than mandating or imposing government standards, the bill...well, here's what Rockefeller said today to the Business Software Alliance in Washington, which has expressed concerns with parts of the legislation.

The bill also creates a dynamic cycle of market-driven innovation in professional training and cybersecurity products and services.  Companies that excel will be recognized for their excellence, and companies that fall short will implement a remediation plan driven by the market and facilitated by the government.  I know some groups have had concerns about these proposals.  

But here's the truth: the government will not be choosing winners and losers, nor will it be laying down arbitrary standards from on high Instead, we want to empower the private sector, to develop the standards of excellence that best suit your business or sector.  Once you set those standards, we will hold you to them.  That's not regulation; it's a 21st century imperative - both for markets and for national security. 

 Some have criticized our proposed independent audit process as inflexible and burdensome.  And yes, we do recognize that "compliance" is not always the same thing as security, and that audits can be costly and time-consuming.  However, I think we can all agree that effective cybersecurity simply is not possible without a reliable mechanism to evaluate performance.  We have yet to be presented with a viable alternative.  

So, we have built on the audit-based framework already used by many in the private sector.  We expect that if the private sector takes the lead as laid out in our bill, the standards and certification will be flexible and dynamic, not bureaucratic and burdensome. For those who are still unhappy with our proposal, I welcome your ideas and alternatives.  

Rockefeller ends with a warning:

You must know genuine accountability is non-negotiable - and for the system to work, any standards must be credible.

What this means: if business doesn't do it, government will.