Cybersecurity bill tabled after vendor pressure

Rep. Adam Putnam this week shied away from introducing legislation that would have required companies to conduct independent security audits and detail the results in their annual reports. The retreat was a result of pressure from industry groups representing large hardware and software vendors.

Rather than introducing the Corporate Information Security Accountability Act of 2003, Putnam (R-Fla.) tabled the bill and challenged industry organizations to come up with an alternative proposal within 90 days. A working group of representatives from the Information Technology Association of America, the Business Software Alliance, the Business Roundtable (BRT), the SANS Institute and the U.S. Chamber of Commerce held its first meeting this week.

The vendor community has come out against the Putnam bill for two reasons, said John Pescatore, an analyst at Gartner Inc. Security vendors are worried that corporate budgets will shift toward consulting and audits and not security products, he said. And the IT product vendors are worried that companies will be less willing to upgrade once their current architecture has passed testing.

Putnam’s office, the Chamber of Commerce and the BSA didn’t respond to Computerworld’s requests for comment.

However, several working group members and security analysts said the roadblock stems from both political and practical issues. Aside from the perceived existence of an antilegislation “cabal” consisting of large IT industry consortia, some security analysts questioned the wisdom of reporting security information to the Securities and Exchange Commission, because that has proven ineffective and at times costly.

Alan Paller, director of research at the SANS Institute, a member of the industry working group and a supporter of the Putnam measure, said the bill faces an uphill battle. The main adjustment being championed by Paller includes the mandated use of commercially available automated tools for testing security configurations and vulnerability mitigation.

“By encouraging their use, you create a groundswell of demand for benchmarks,” Paller told members of Putnam’s staff in a memo. “Commercial organizations will step into that benchmarking space, and as organizations find themselves in the lower percentiles, they will improve their security, creating a powerful continuing force for overall improvement of security throughout the nation.”

But not all members of the industry working group see the bill in the same light. Harris Miller, president of the Arlington, Va.-based ITAA, one of the main forces behind getting Putnam to delay the bill, said the “ITAA believes having the trial bar run the IT industry is a bad idea . . . and having government bureaucrats approving IT innovations before they are released to the marketplace is a terrible idea.”

A spokesman for the BRT, a Washington-based association of CEOs of large companies, including some of the software vendors that belong to the ITAA and BSA, said the BRT doesn’t comment specifically on legislation that has not been introduced.

However, Klaus Kleinfeld, chairman and CEO of Siemens and chairman of the BRT’s Security Task Force’s Information Security Committee, told Computerworld in a written statement that while the BRT supports Putnam’s effort to raise cybersecurity to the level of a national policy debate, BRT members aren’t waiting for legislation to take action. The BRT is currently holding discussions with “manufacturers, purchasers and users of information security technology to shape the marketplace for IT security goods and services,” said Kleinfeld, adding that proactive industry measures will be announced in the coming months.