Senate GOP Cybersecurity Push Stagnant as House Hawks Prep Bills
As the House Intelligence Committee marked up its cybersecurity information sharing bill Wednesday, GOP senators said they have not decided how to approach the issue in this Congress. Two of the leading sponsors of last year’s Republican cybersecurity legislation, the SECURE IT Act (S-2151, S-3342), said in separate interviews they have held meetings with cybersecurity stakeholders this spring but have yet to put pen to paper on a new cybersecurity bill. Meanwhile, Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said he’s meeting with Democratic cybersecurity hawks this week to develop their plan to address any gaps in President Barack Obama’s cybersecurity executive order.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Senate Judiciary Committee Ranking Member Chuck Grassley, R-Iowa, said Tuesday Republican cybersecurity leaders have not developed their approach to cybersecurity legislation. “I think we better wait and see what sort of consensus we can get,” he said. “It’s too bad [former Senator Kay Bailey] Hutchison [R-Texas] ain’t here. She kept that going.” Grassley planned to meet with cybersecurity stakeholders this week in order to discuss what he said was “finding a common ground” on the best approach to securing the nation’s networks.
Senate Armed Services Committee Ranking Member John McCain, R-Ariz., has had “meeting, after meeting, after meeting” with cybersecurity stakeholders since the beginning of the new Congress, he said an interview Tuesday. Asked if he planned to reintroduce his SECURE IT Act, McCain said: “Oh, I don’t know. The conversations go on but obviously there is going to have to be some movement. It is a matter of time before there is a serious [cyber] attack on the United States of America. We all know that. It is a very urgent issue.” McCain said he continues to believe the Department of Homeland Security should not lead the cybersecurity effort despite the directions of the president’s cybersecurity order. “That’s a fundamental problem and we have not resolved liability issues among other things.”
Rockefeller plans to meet with Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper, D-Del., and Senate Intelligence Committee Chairman Dianne Feinstein, D-Calif., this week to discuss the Senate’s approach to cybersecurity, he said in a separate interview Tuesday. Rockefeller would not provide any specifics on whether they planned to introduce new legislation or tweak last year’s Senate Cybersecurity Act (S-3141). “Everything evolves. There hasn’t been much movement on that bill for three or four years,” he said, referring to previous versions of the Cybersecurity Act. “I think that is beginning to change.”
Rockefeller separately urged the Securities and Exchange Commission to elevate its cybersecurity guidance for companies to the commission level, in a letter made public Wednesday (http://1.usa.gov/ZMUXPr). The SEC currently offers staff guidance on cybersecurity disclosure obligations, but Rockefeller said “the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices,” in the letter sent to Mary Jo White, the new SEC chairman. Rockefeller had previously urged the agency to push companies for more transparency about cybersecurity breaches in the last Congress.
"Investors deserve to know whether companies are effectively addressing their cybersecurity risks,” Rockefeller’s letter said. “This information is indispensable to efficient markets, and as a country, we need the private sector to make significant investments in cybersecurity. Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cybersecurity efforts seriously.”
The SEC first issued cybersecurity disclosure guidance in fall 2011 that requires companies to detail past and potential cyberthreats to their business operations. The SEC expects companies to evaluate their cybersecurity risks, consider the probability of future cyberincidents, and the quantitative and qualitative magnitude of those risks. Companies must disclose known and threatened cyberincidents in their SEC filings and provide detail on how potential cyberattacks would impact a company’s liquidity or financial condition.