US Congress considers cybersecurity legislation

Legislation imposing cybersecurity requirements on US private industry, including a proposal requiring public companies to report...

Legislation imposing cybersecurity requirements on US private industry, including a proposal requiring public companies to report their cybersecurity efforts, may be introduced.

One proposal being considered would require companies to fill out a cybersecurity checklist in their filings with the US Securities and Exchange Commission (SEC).

Such a bill could be introduced later this year.

While antispam legislation will continue to be the major technology focus in Congress this autumn the "pluses and minuses" of a cybersecurity reporting requirements, are being examined.

Such a law would raise awareness of cybersecurity issues above the chief information officer level to chief executive officers, while avoiding specific cybersecurity requirements that may not fit all businesses, said Daniel Burton, vice-president of government affairs for security supplier Entrust.

"It does not mandate you must do X which, we all realise, is a false start," Burton said. "Different companies have different security needs and different risks. So it's impossible to set up a mandate for everyone."

Stockholders and boards of directors could then judge for themselves whether a company is adequately dealing with cybersecurity, Burton said.

"Everyone from the board level on down is really going to be focused on what [the cybersecurity reports] are saying," he added.

The bill under consideration would require companies to satisfy the criteria on a checklist.

The bill would be intended to raise cybersecurity awareness among top-level executives at companies.

Congress may feel the need to act on cybersecurity legislation if more viruses or worms are unleashed onto the internet, said  Robert Housman, a US lawyer.

In the past month, the Sobig and Blaster worms infected computers worldwide, causing millions of dollars in damage, and Congress may be compelled to take some action.

The number of attacks on company networks also continues to climb.

"On top of all that, there is a perception, right or wrong, among a lot of the regulators and congressional members I've talked to, that not enough is happening on the cyber front, that companies still remain vulnerable," Housman added. "Because of that, there is a growing impetus to legislate or regulate."

Legislation heading toward incentives or reporting requirements may be more well received by industry than a list of must-do actions, Housman said.

He expected to see some sort of cybersecurity legislation getting serious attention in Congress this year.

A reporting requirement would hold companies accountable with their cybersecurity efforts. But such a requirement could make investors and executives nervous, he added.

Grant Gross writes for IDG News Service

Read more on IT risk management