Chief executives of each of the Fortune 500 companies will soon receive a letter from Senator John D. Rockefeller IV (D-W.Va.) asking them to describe how their companies address computer network security, or “cybersecurity.” In the letter, Senator Rockefeller explains that he is addressing Fortune 500 companies directly because of the recent stalling of the Cybersecurity Act (S. 3414) in the U.S. Senate.
The Act has been the subject of controversy since it was first introduced on February 14, 2012. Senator Rockefeller, an original co-sponsor of the bill, describes it as the framework for a voluntary program that would “empower the private sector” to work collaboratively with the federal government to develop “dynamic and adaptable” security practices to implement at each company’s discretion. The U.S. Chamber of Commerce, however, raised concerns in advance of the Senate vote on August 2, that the bill would “likely create an adversarial relationship” between business and government. It further argued that security standards proposed in the bill could lead to burdensome and costly government regulations.
In his letter, Senator Rockefeller seeks feedback “…directly from the chief executives of leading American companies.” His letter poses eight questions to the Fortune 500 executives, including whether they have concerns about the interaction between government and the private sector outlined in S. 3414. The letter asks the executive officers to respond by October 19, 2012, although they are not legally required to do so.
In a related development, Department of Homeland Security Secretary Janet Napolitano testified today at a hearing before the Senate Homeland Security and Government Affairs Committee that an executive order directing federal agencies to work with industry to develop best practices to secure critical computer network infrastructure is “close to completion.” Senator Rockefeller, who sent a letter to President Obama on August 13, 2012 endorsing the idea of an executive order in light of congressional disputes, nonetheless believes that such a measure would accomplish “only a portion of what the Cybersecurity Act of 2012 set out to do,” adding in his letter that legislative action will still be needed.