“The cyber threat we face is unprecedented and we need an innovative and cooperative approach between the private sector and the federal government to protect the country from it.”

—Sen. John D. Rockefeller IV (D-WV)

Yesterday, Senator John Rockefeller, Chairman of the Senate Committee on Commerce, Science, and Transportation, issued a letter to the Chief Executive Officer of every Fortune 500 company seeking information about company cybersecurity practices and their views on pending federal legislation related to cybersecurity.i

Senator Rockefeller’s letter focused on the Senate’s recent inability to pass the Cybersecurity Act of 2012, ii which the Senator said he sponsored “to create a voluntary program that would empower the private sector to collaborate with the federal government to develop dynamic and adaptable voluntary cybersecurity practices for companies to implement as they see fit.”

  • The Cybersecurity Act would have required the Department of Homeland Security (DHS) to conduct risk assessments to identify the most significant cyber threats and then establish cybersecurity performance requirements for “critical infrastructure systems and assets whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations.”  
  • Under the legislation, owners of critical infrastructure would have been given flexibility to meet the performance requirements as they saw fit, and assets that were already “appropriately secured” would have been exempted from the requirements.  
  • The legislation would have also created a “cybersecurity exchange,” through which public and private sector entities could have shared information about cyber threats, while ensuring that privacy is protected. 

Senator Rockefeller’s letter to the Fortune 500 follows a letter sent by the lead sponsors of the Cybersecurity Act in July to the U.S. Chamber of Commerce.iii While Senator Rockefeller and some of his colleagues are now urging President Obama to sign an Executive Order that will direct the promulgation of voluntary cybersecurity standards, the Chairman stated that the effects of an Executive Order would be limited compared to the Cybersecurity Act. Consequently, the Chairman wrote in his letter that legislation is still needed. He specifically solicited the comments of the Fortune 500 CEOs regarding their views on cybersecurity.

Against this backdrop, the Chairman’s letter seeks answers from the Chief Executive Officers of the Fortune 500 to eight questions regarding their cybersecurity practices and their concerns, if any, about the Cybersecurity Act.

Chairman Rockefeller’s request for information does not legally compel companies to respond, but a Committee spokesman has stated that the Committee expects to hear from each company.iv

What’s Next

While Senator Rockefeller’s letter appears to be more focused on securing support from Fortune 500 companies for his policy initiatives, and less on investigative probing, it is still too early to say where this will lead. The Chairman’s letter emphasizes his concern about previous efforts to block the legislation and suggests he may be looking to obtain support from CEOs for the next push to enact the Cybersecurity Act.

It is also possible—consistent with Committee action in other investigations and inquiries—that the Committee is gathering information that may eventually surface at a Committee hearing, in a Committee or staff report, or during Senate debate. With this in mind, it is prudent, as with any Congressional request, to proceed carefully and to respond with a well-considered, accurate response. Given the potential for follow-up activity once the Committee has received responses, it will be necessary to monitor closely ongoing legislative and Committee developments.