Cybersecurity regulations imminent, industry and government warn

In the debate over national cybersecurity strategy, most of the participants insist they don't want new regulations. Instead, they say, they want the marketplace to create cyberdefenses against hackers, viruses, and other Information Age threats.

But regulations are coming anyway, some industry and government officials warn, in part because the high-tech sector is reluctant to take on new burdens during an economic slowdown. And some factions in the debate actually want regulations that would boost information-sharing within industry, increase federal spending for industry's priorities, and encourage lawsuits against companies that have sloppy computer defenses.

Congress and public concern will pressure tech companies to strengthen cybersecurity with a blend of threats, broad regulations, and publicity, according to James Lewis, director of the technology program at the Center for Strategic and International Studies. A similar mix of pressures in the early 1900s led to improved safety in the food, mining, and railroad industries, Lewis said.

The White House released its draft plan on September 18, "so that everyone in the country can tell us what the strategy should be," said Richard Clarke, the administration's cybersecurity chief. The report does not call for legislation or regulations, but instead offers "17 priorities and 80 recommendations." The plan largely limits government's role to boosting public awareness, funding extra research, fostering information-sharing, and operating its own cyberdefenses, officials said. "The government cannot dictate. The government cannot meddle. The government cannot alone secure cyberspace," Clarke declared.

This language is reassuring to the business community, which fears regulation as much as it fears cyberattacks such as "distributed denial of service" incidents that can stop online purchases.

Clarke's language reflected the White House's decision to strip many detailed recommendations for new laws and regulations from the draft plan before it was released. For example, earlier drafts had called for board members to assume liability for corporate security policies; the preliminary language also would have required Internet service providers to supply their customers with new types of anti-hacker software. Industry officials are still wary that such regulations may reappear in the final version that is to be signed by the president.

Industry executives also fear that stringent regulations will turn off consumers-and that tech companies will lose money as a result. And they worry about liability risks, said Stewart Baker, a partner at the law firm Steptoe & Johnson who has clients in the high-tech industry. Customers may reject security measures they find intrusive, he said, and sales of security services may not be high enough to cover companies' investment costs.

For the computer industry, which has a hard time predicting security problems or the cost of compensating victims, liability is an increasingly significant issue. The White House is continuing to prod company auditors, insurance agents, and citizens to pay more attention to information security, industry experts say. So far, a few entrepreneurial lawyers have sought economic damages for computer-security problems but the suits have largely failed, in part because the claims are still so novel.

Occasional comments from government officials tend to heighten industry's concerns about liability. For example, on September 18, Howard Schmidt, vice chairman of the White House Critical Infrastructure Protection Board, compared computer security to seat belts, which were at first treated as an inconvenience but are now an accepted part of driving. Because many lawsuits grow out of complaints about automobile safety, Schmidt's comment "is a little too close to the surface for industry's tastes," Baker said. "There is a real worry that, sooner or later, [liability] will be seen as an attractive way for the government to get people to do what they want: Sic the lawyers on them."

But on the other hand, the White House's efforts to boost public awareness of cyberdefense issues can create demand for new products, some executives say. "The debate is going to get the public engaged in a constructive way," said Bill Sweeney, head of global public policy for Electronic Data Systems in Plano, Texas. It "will also highlight opportunities for the market and technology to address some of these real problems," he said.

Industry officials also hope for some largesse from Congress. For example, many executives backed a measure drafted by Rep. Fred Upton, R-Mich., that would have granted corporate tax breaks for investment in information-security programs. "As American business recognizes the increased cost of security, that bill will come back up," Sweeney predicted. "At some point in time, you're going to get into a cost discussion," he said, which might include some kind of surcharge on information technology that would be used to pay for the security add-ons.

So far, marketplace conditions are not helping to boost security, said Ira Parker, general counsel for Genuity, an Internet firm. Many telecommunications companies are already in bankruptcy, and others are trying to cut inefficiencies in ways that increase cybersecurity vulnerabilities, according to Parker.

The White House security plan is "essentially an appeal to the private sector to do something," said Warren Axelrod, a senior computer-security executive at the financial services firm Donaldson, Lufkin & Jenrette. "If the private sector does not respond, they will only have themselves to blame if along comes a slew of burdensome laws and regulations."