Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, July 26, 2013

Commerce Committee hearing considers cybersecurity legislation

By John M. Pachkowski, J.D.

The Senate Committee on Commerce, Science, and Transportation held a hearing on July 25, 2013, to discuss S. 1353, the “Cybersecurity Act of 2013” which was introduced by Committee Chairman John D. (Jay) Rockefeller IV (D-WVa) and Ranking Member John Thune (R-SD) on July 24, 2013.

The legislation is intended to strengthen and protect the nation’s economic and national security by authorizing the National Institute of Standards and Technology (NIST) to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure. The bill would also ensure that the federal government supports cutting-edge research, raises public awareness of cyber risks, and improves the nation’s workforce to better address cyber threats.

Commenting on the bill’s introduction, Rockefeller said, “I’ve always thought this was a great way to emphasize the critical need for a public-private approach when it comes to solving our most pressing cybersecurity issues.” He added, “NIST is a jewel of the federal government and it’s the right organization to guide this very important work.” Thune noted, “we must leverage the innovation and know-how of the private sector, as well as the expertise and information held by the federal government to address immediate threats and those in the future.”

The Cybersecurity Act of 2013 comes on the heels of an Executive Order issued by President Obama in February 2013 instructing NIST to develop a framework to reduce cyber risks to critical infrastructure. Also, in June 2013, the Federal Financial Institutions Examination Council announced the formation of the Cybersecurity and Critical Infrastructure Working Group, which is intended to promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues.

“A lot of sense.” At the outset of the hearing, Rockefeller emphasized in his opening statement that NIST was not a regulatory agency, but a scientific laboratory that helps American businesses solve tough technical problems. As for addressing threats to the country’s cybersecurity, Rockefeller noted, “Getting NIST involved in cybersecurity makes a lot of sense, because NIST already has decades of experience working with the private sector on computer security issues.” He added, “Making progress against our cyber adversaries is going to require a sustained, coordinated effort between the public and private sectors. And it is going to require the combined resources of many different government agencies and businesses. Acting alone, this Committee cannot make all of the changes needed to give our government and businesses the tools they need to make real progress on cybersecurity.”

Flexible and agile. Thune noted in his opening statement that “We must find solutions that leverage the innovation and know-how of the private sector, as well as the expertise and information held by the federal government. And, given the escalating nature of the threat, we should look for solutions that will have both an immediate impact and that will remain flexible and agile into the future.” Commenting on the Cybersecurity Act of 2013, he stated the bill “strikes the proper balance to ensure that what develops is industry-led and a true partnership between NIST and the private sector. It also ensures that NIST’s involvement, and this process, are both ongoing, in order to maintain the flexibility and continued innovation that is necessary to meet such a dynamic threat.”

Public–private partnership. Dorothy Coleman, Vice President on Tax, Technology, and Domestic Economic Policy for the National Association of Manufacturers called the legislation “a good first step in assisting manufacturers in their ongoing efforts to reduce their cyber risk” and conveyed NAM members’ concerns that legislation cannot create a “static, regulatory-based regime.” She noted that there is a need to develop appropriate general and industry-specific best practices for improved cybersecurity. In formulating cybersecurity policy, we support a public–private partnership that draws on industry best practices. In addition, any cybersecurity standards framework needs to be risk-based, and it must keep pace with ever-changing cyber threats.

Trust and confidence. Mark G. Clancy, Managing Director of Technology Risk Management and Corporate Information Security Officer for The Depository Trust & Clearing Corporation, testifying on behalf of the American Bankers Association, Financial Services Roundtable, and Securities Industry and Financial Markets Association, provided information to the committee about the cyber risk landscape and private sector-led mitigation efforts. He noted that “Cyber threats are a frequent reality and a potential systemic risk to the industry.” Clancy added, “Our markets and financial networks are predicated on trust and confidence. The trusted transfers and transactions that occur hundreds of millions of times in a day are a fundamental prerequisite for modern capital markets, investors, consumers, and governments to conduct business and drive our economic growth…The financial services sector recognizes the risks and views cybersecurity as a non-competitive area and has committed to working together to identify potential threats and techniques to mitigate them.” Clancy also expressed support for The Cybersecurity Act of 2013 and emphasized the need for more information sharing.

Cybersecurity framework. Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and Director, National Institute of Standards and Technology discussed NIST’s role under the President’s Executive Order and NIST’s responsibility to develop a framework to reduce cyber risks to critical infrastructure. Gallagher noted that the development of a cybersecurity framework will consist of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks for critical infrastructure. Regulatory agencies will also review the cybersecurity framework to determine if current cybersecurity requirements are sufficient, and propose new actions to ensure consistency. He noted that this approach reflected both the need for enhancing the security of the nation’s critical infrastructure and the reality that the bulk of critical infrastructure is owned and operated by the private sector. He added, “Any efforts to better protect critical infrastructure must be supported and implemented by the owners and operators of this infrastructure. It also reflects the reality that many in the private sector are already doing the right things to protect their systems and should not be diverted from those efforts through new requirements.”

Collaboration is essential. Finally, Arthur W. Coviello Jr., Executive Vice President of EMC Corporation and Executive Chairman of RSA, The Security Division of EMC, urged the committee to consider a few key points regarding the Cybersecurity Act of 2013. He noted that any successful cybersecurity effort must be industry-driven. Also, public and private sector collaboration is essential to bolstering cybersecurity. Covilello added cybersecurity standards should be voluntary, non-prescriptive, and technology-neutral; and both government and the private sector must invest in increasing public awareness of the cyber threat. Covilello was also “pleased to see that the draft legislation includes provisions to increase cybersecurity research and to support the development of the cybersecurity workforce.” He concluded that it is also imperative that Congress addresses other key cybersecurity issues not under the Commerce Committee’s jurisdiction. For example, there should be legislative initiatives to update criminal laws and penalties; enact federal data-breach law; modernize the Federal Information Security Management Act; and develop reasonable and effective policy approaches to supply chain protection that will not stifle innovation and competition.

Companies: American Bankers Association; EMC; Financial Services Roundtable; National Association of Manufacture; RSA; Securities Industry and Financial Markets Association; The Depository Trust & Clearing Corporation

LegislativeActivity: BankingOperations

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.