U.S. Cybersecurity's Path from Legislative Debate to Executive Action

The effective defeat recently of the proposed Cybersecurity Act of 2012 (S. 2105) (www.govtrack.us/congress/bills/112/s2105/text) due to the failure in the Senate to secure the 60 votes needed to cut off a filibuster, appears to the mark the end of this year's efforts to enact legislation confronting the threat of cybersecurity to critical U.S. infrastructure. Perhaps inevitably, in an election season the Congress could not choose between two very different visions.

That some action is needed in the realm of cybersecurity is the one thing beyond debate. Over the last year, supporters of various versions of legislation have emphasized that the nation's critical infrastructure ' including electrical grids, water stations and telecommunications systems ' is a target for cyber-attacks. Indeed, in July, the head of the National Security Agency and the U.S. Cyber Command (www.defense.gov/home/features/2010/0410_cybersec) said that computer attacks on U.S. infrastructure had increased 17-fold between 2009 and 2011, and expressed the view that, on a scale of 1-10, U.S. preparedness for a large cyber-attack is around a three.

What action should be taken to address this threat, however, sparked sharp partisan disagreement. In the Senate, for example, supporters of the bill backed by the Obama Administration were unable to mollify its opponents' concerns: that the provision incentivizing companies to adopt voluntary cybersecurity standards was simply a guise for developing de facto mandatory standards; that the authority to aggregate cyber-attack information had been delegated to the wrong agency; and that the bill's provisions did not strike the right balance between national security, private innovation and self-governance, and civil liberties.

The Senate may try again this Fall, but with few legislative days remaining on the congressional calendar, the election looming, and a busy lame duck session in the offing, the more likely outcome is that, following the election, the next administration ' whether led by President Obama or Governor Romney ' will address the national cybersecurity problem through executive action.

Because corporate systems will be the primary focus of cybersecurity reforms, it is an ideal time for companies and their counsel to assess the strength of their existing cybersecurity programs. Indeed, cybersecurity must figure prominently in any conversation about long-term strategic risks to a company's interests.

An important strategic consideration for an internal assessment is, of course, the form that executive action may take.

Transparency and Disclosure

In October 2011, the Securities and Exchange Commission (SEC) published guidelines regarding the potential need for public companies to publicly disclose cybersecurity risk assessments ' including any material breaches of their cyber-apparatus ' if such risk would significantly affect investment decisions. (See, “CF Disclosure Guidance: Topic No. 2,” http://1.usa.gov/ppKxqE.) While the SEC has not yet acted to enforce these requirements, the guidelines open the door for the agency to do so.

Unlike other models of executive action on cybersecurity, the SEC's disclosure guidance is already in effect. The challenge for companies affected by the guidelines is determining when to disclose and what disclosure is necessary. While companies can avoid enforcement action by disclosing cyberthreats, disclosures may also incur reputational harm and diminish shareholder confidence. Public disclosure of cyber-attacks in real time, which the guidelines suggest companies undertake, also often spurs perpetrators of the attacks to accelerate data poaching, leaving the company less time to analyze the attack and contain its damage.

Indeed, the SEC staff has recognized this challenge presented by its disclosure obligations. Given the unpalatable consequences of both public disclosure and noncompliant failure to disclose, the SEC guidelines have the effect, through forced transparency, of incentivizing companies to monitor and minimize cyberrisks. In other words, the best position for a company to be in under the SEC disclosure guidelines is to have few, or even no, material cyberthreats or cyber-attacks to report.

It is still unclear whether a company's failure to adopt a rational cybersecurity policy ' either by lacking such a policy entirely, or by implementing obviously subpar measures ' could trigger agency enforcement under the guidelines. However, companies whose disclosures indicate an awareness of material cyberthreats, but which do not take proactive steps to secure their infrastructure against such threats, may expose themselves to not only agency scrutiny, but also shareholder suits and other litigation risks.

Power of the Purse

In recent years, the federal procurement budget for government contracts with private vendors has been as high as $460 billion, and the awarding of federal contracts has often been conditioned on contractors' implementation of security standards in IT networks used for the contracted projects. The Senate has already heard testimony urging the use of procurement power to move vendors to more robust cybersecurity protections, and the Office of Management and Budget (OMB) is currently pondering revisions to its cybersecurity guidelines for federal IT systems. Following this approach, the executive branch might argue that national security behooves government suppliers to protect the value chain leading to the federal government from unwarranted exposure to cyber-attacks, and might require government vendors to implement cybersecurity standards as part of their performance of federal contracts.

Government Standards

In 2013, the executive branch may move on standards, whether mandatory or voluntary. Government age-ncies or their delegates currently create an overlapping patchwork of sector-specific cybersecurity standards ' examples include the Federal Financial Institutions Examination Council's suggested cybersecurity requirements for depository institutions in banking and finance, the Federal Energy Regulatory Commission's cybersecurity standards for the energy sector, and the Nuclear Regulatory Commission's cybersecurity guidance for nuclear power plants. The next administration may consider consolidating such standards setting in one agency, tasked solely with protecting critical infrastructure networks across sectors, as was contemplated by the Senate bill. Of course, the form of those standards would likely depend on the same issues that surrounded the bill's standards-setting provision ' on whether the standards would be voluntary or de facto mandatory, and whether the standards-setting process would allow for industry input.

Voluntary Multi-Stakeholder Consensus

An executive order could task administrative agencies with coordinating voluntary, multi-stakeholder groups to set security standards ' in keeping with the tradition of open and participatory Internet governance. For example, the National Institute of Standards and Technology (NIST), the U.S. Commerce Department agency that promulgates security standards for government agencies, currently engages in such open, multi-actor standards setting as part of that process, allowing it to draw on expertise from private industry, academia and government scientists. Because the resulting standards represent a consensus among the tech community, they are often voluntarily adopted by industry players. Executive action could opt for this model of controlled self-governance, inviting companies to shape the substance of future cybersecurity standards.

Operative Standards of Care

Another related model for executive action on cybersecurity involves developing “codes of conduct” for corporate cybersecurity that become the operative standard of care in future litigation. The Obama Administration has adopted this tack in effectuating its consumer data privacy policy. After unveiling a Consumer Privacy Bill of Rights (http://1.usa.gov/AcsRci), which outlined broad principles for commercial uses of personal data (such as “accountability” and “respect for context”), the Administration mandated the Commerce Department's National Telecommunications and Information Administration to develop ' through voluntary, multi-stakeholder consensus ' enforceable codes of conduct in line with those broader principles. The Federal Trade Commission has said that it will take action against companies that promise to adhere to such voluntary codes of conduct, but fail to do so.

Conclusion

The 2012 presidential election will inform, but not end, the debate over the cybersecurity of U.S. infrastructure. As ongoing disclosures clarify the SEC guidelines' exact ramifications, and as companies await the executive branch's next move, counsel are well-advised to determine their own cybersecurity best practices. Indeed, a recent study by PricewaterhouseCoopers found that 43% of corporate executives from 130 countries had confidence in their security protocols, but only 13% of those executives had implemented a cybersecurity strategy and were aware of recent breaches to their companies' networks. (See, “Cybersecurity: The New Business Priority,” http://pwc.to/KIe9Y3.) For those not in the 13%, it is an ideal time to consider how their cybersecurity standards would fare under different forms of executive action.

The effective defeat recently of the proposed Cybersecurity Act of 2012 (S. 2105) (www.govtrack.us/congress/bills/112/s2105/text) due to the failure in the Senate to secure the 60 votes needed to cut off a filibuster, appears to the mark the end of this year's efforts to enact legislation confronting the threat of cybersecurity to critical U.S. infrastructure. Perhaps inevitably, in an election season the Congress could not choose between two very different visions.

That some action is needed in the realm of cybersecurity is the one thing beyond debate. Over the last year, supporters of various versions of legislation have emphasized that the nation's critical infrastructure ' including electrical grids, water stations and telecommunications systems ' is a target for cyber-attacks. Indeed, in July, the head of the National Security Agency and the U.S. Cyber Command (www.defense.gov/home/features/2010/0410_cybersec) said that computer attacks on U.S. infrastructure had increased 17-fold between 2009 and 2011, and expressed the view that, on a scale of 1-10, U.S. preparedness for a large cyber-attack is around a three.

What action should be taken to address this threat, however, sparked sharp partisan disagreement. In the Senate, for example, supporters of the bill backed by the Obama Administration were unable to mollify its opponents' concerns: that the provision incentivizing companies to adopt voluntary cybersecurity standards was simply a guise for developing de facto mandatory standards; that the authority to aggregate cyber-attack information had been delegated to the wrong agency; and that the bill's provisions did not strike the right balance between national security, private innovation and self-governance, and civil liberties.

The Senate may try again this Fall, but with few legislative days remaining on the congressional calendar, the election looming, and a busy lame duck session in the offing, the more likely outcome is that, following the election, the next administration ' whether led by President Obama or Governor Romney ' will address the national cybersecurity problem through executive action.

Because corporate systems will be the primary focus of cybersecurity reforms, it is an ideal time for companies and their counsel to assess the strength of their existing cybersecurity programs. Indeed, cybersecurity must figure prominently in any conversation about long-term strategic risks to a company's interests.

An important strategic consideration for an internal assessment is, of course, the form that executive action may take.

Transparency and Disclosure

In October 2011, the Securities and Exchange Commission (SEC) published guidelines regarding the potential need for public companies to publicly disclose cybersecurity risk assessments ' including any material breaches of their cyber-apparatus ' if such risk would significantly affect investment decisions. (See, “CF Disclosure Guidance: Topic No. 2,” http://1.usa.gov/ppKxqE.) While the SEC has not yet acted to enforce these requirements, the guidelines open the door for the agency to do so.

Unlike other models of executive action on cybersecurity, the SEC's disclosure guidance is already in effect. The challenge for companies affected by the guidelines is determining when to disclose and what disclosure is necessary. While companies can avoid enforcement action by disclosing cyberthreats, disclosures may also incur reputational harm and diminish shareholder confidence. Public disclosure of cyber-attacks in real time, which the guidelines suggest companies undertake, also often spurs perpetrators of the attacks to accelerate data poaching, leaving the company less time to analyze the attack and contain its damage.

Indeed, the SEC staff has recognized this challenge presented by its disclosure obligations. Given the unpalatable consequences of both public disclosure and noncompliant failure to disclose, the SEC guidelines have the effect, through forced transparency, of incentivizing companies to monitor and minimize cyberrisks. In other words, the best position for a company to be in under the SEC disclosure guidelines is to have few, or even no, material cyberthreats or cyber-attacks to report.

It is still unclear whether a company's failure to adopt a rational cybersecurity policy ' either by lacking such a policy entirely, or by implementing obviously subpar measures ' could trigger agency enforcement under the guidelines. However, companies whose disclosures indicate an awareness of material cyberthreats, but which do not take proactive steps to secure their infrastructure against such threats, may expose themselves to not only agency scrutiny, but also shareholder suits and other litigation risks.

Power of the Purse

In recent years, the federal procurement budget for government contracts with private vendors has been as high as $460 billion, and the awarding of federal contracts has often been conditioned on contractors' implementation of security standards in IT networks used for the contracted projects. The Senate has already heard testimony urging the use of procurement power to move vendors to more robust cybersecurity protections, and the Office of Management and Budget (OMB) is currently pondering revisions to its cybersecurity guidelines for federal IT systems. Following this approach, the executive branch might argue that national security behooves government suppliers to protect the value chain leading to the federal government from unwarranted exposure to cyber-attacks, and might require government vendors to implement cybersecurity standards as part of their performance of federal contracts.

Government Standards

In 2013, the executive branch may move on standards, whether mandatory or voluntary. Government age-ncies or their delegates currently create an overlapping patchwork of sector-specific cybersecurity standards ' examples include the Federal Financial Institutions Examination Council's suggested cybersecurity requirements for depository institutions in banking and finance, the Federal Energy Regulatory Commission's cybersecurity standards for the energy sector, and the Nuclear Regulatory Commission's cybersecurity guidance for nuclear power plants. The next administration may consider consolidating such standards setting in one agency, tasked solely with protecting critical infrastructure networks across sectors, as was contemplated by the Senate bill. Of course, the form of those standards would likely depend on the same issues that surrounded the bill's standards-setting provision ' on whether the standards would be voluntary or de facto mandatory, and whether the standards-setting process would allow for industry input.

Voluntary Multi-Stakeholder Consensus

An executive order could task administrative agencies with coordinating voluntary, multi-stakeholder groups to set security standards ' in keeping with the tradition of open and participatory Internet governance. For example, the National Institute of Standards and Technology (NIST), the U.S. Commerce Department agency that promulgates security standards for government agencies, currently engages in such open, multi-actor standards setting as part of that process, allowing it to draw on expertise from private industry, academia and government scientists. Because the resulting standards represent a consensus among the tech community, they are often voluntarily adopted by industry players. Executive action could opt for this model of controlled self-governance, inviting companies to shape the substance of future cybersecurity standards.

Operative Standards of Care

Another related model for executive action on cybersecurity involves developing “codes of conduct” for corporate cybersecurity that become the operative standard of care in future litigation. The Obama Administration has adopted this tack in effectuating its consumer data privacy policy. After unveiling a Consumer Privacy Bill of Rights (http://1.usa.gov/AcsRci), which outlined broad principles for commercial uses of personal data (such as “accountability” and “respect for context”), the Administration mandated the Commerce Department's National Telecommunications and Information Administration to develop ' through voluntary, multi-stakeholder consensus ' enforceable codes of conduct in line with those broader principles. The Federal Trade Commission has said that it will take action against companies that promise to adhere to such voluntary codes of conduct, but fail to do so.

Conclusion

The 2012 presidential election will inform, but not end, the debate over the cybersecurity of U.S. infrastructure. As ongoing disclosures clarify the SEC guidelines' exact ramifications, and as companies await the executive branch's next move, counsel are well-advised to determine their own cybersecurity best practices. Indeed, a recent study by PricewaterhouseCoopers found that 43% of corporate executives from 130 countries had confidence in their security protocols, but only 13% of those executives had implemented a cybersecurity strategy and were aware of recent breaches to their companies' networks. (See, “Cybersecurity: The New Business Priority,” http://pwc.to/KIe9Y3.) For those not in the 13%, it is an ideal time to consider how their cybersecurity standards would fare under different forms of executive action.