Key Vote letter on S. 3414, the "Cybersecurity Act of 2012”

TO THE MEMBERS OF THE UNITED STATES SENATE:

The U.S. Chamber of Commerce, the world’s largest business federation representing the interests of more than three million businesses and organizations of every size, sector, and region, strongly supports amendments expected to be offered that would strike the text of S. 3414, the “Cybersecurity Act of 2012,” and replace it with the provisions of S. 3342, the “SECURE IT Act of 2012.”

Cybersecurity is a critically important issue for the American business community and the nation. For the Chamber, it is not a question of whether Congress should pass legislation to address cybersecurity, but how Congress can best craft legislation to achieve this goal.

SECURE IT is prudent legislation that has broad industry support and would dramatically help America improve its cybersecurity posture. It would put timely and actionable information into the hands of vetted business owners and operators so that they could enhance the protection of their systems and assets against cyber threats. The bill would support existing information-sharing and analysis organizations and incorporate lessons learned from pilot programs undertaken by critical infrastructure sectors.

Businesses need certainty that threat and vulnerability information voluntarily shared with the government will not lead to frivolous lawsuits, will not be publicly disclosed, and could not be used by officials to regulate other activities. The Chamber supports the efforts by the sponsors of SECURE IT to make certain that the informationsharing processes provided by the legislation would provide necessary and important privacy and civil liberties protections.

The Chamber believes that SECURE IT underscores the notion that Congress should enact legislation that would help companies deflect or defeat advanced and sophisticated threats such as those from foreign intelligence agencies, criminal gangs, and rogue hackers. Cyber threats change so quickly that any legislation must also maintain the ability of the private sector to be agile in the detection, prevention, mitigation, and response to cyber events that can have national or global impact.

The Chamber has been heavily engaged with Congress on cybersecurity since legislation first emerged on this issue in 2009. The Chamber has remained heavily engaged on and committed to enacting legislation throughout the current Congress to ensure that private and public sector systems are protected and working in collaboration.

There are two attachments to this letter. One is detailed correspondence that the Chamber sent in January 2012 to Leaders Reid and McConnell that highlights what we believe to be the key components of cybersecurity legislation. The second is a prepared statement by former Secretary of Homeland Security Tom Ridge, who testified in February 2012 before the Senate Homeland Security and Governmental Affairs Committee on behalf of the Chamber. Secretary Ridge, who chairs the Chamber’s National Security Task Force, expanded on the concepts included in our January letter. Most of the major recommendations and priorities spelled out in these documents—which have guided the Chamber’s decisions to support the SECURE IT Act and similar House legislation—are not reflected in S. 3414.

While the Chamber recognizes that the Senate and the committees of jurisdiction have examined cybersecurity as an issue for the past several years, S. 3414 is far from a complete product. It is also a bill that has been crafted largely outside the regular order process.

The original version of this legislation—S. 2105—was introduced on February 14, 2012. A single hearing was held February 16 on the bill; it was at this hearing that Secretary Ridge testified on the Chamber’s behalf. There was no markup or further consideration of this legislation by the Committee. S. 3414, which has some substantial differences from S. 2105, was introduced on July 19 and went straight to the Senate floor with neither a Committee hearing nor a markup. Leader Reid and other senators have talked about a potential “manager’s amendment,” which may be considered; this amendment remains a moving target and has not yet been released.

The flawed process by which S. 3414 was developed has led to a flawed bill. The Chamber appreciates the willingness of senators to engage with the business community on this important issue, and we hope that these efforts will continue. Still, as the Chamber asserted at a meeting last Friday hosted by Sens. Lieberman, Feinstein and Coons, there are no “quick-fix” amendments that can achieve what should be a central goal of S. 3414: legislation that enhances U.S. cybersecurity by helping the business community thwart cyber threats.

The Chamber believes S. 3414 could actually impede U.S. cybersecurity by shifting businesses’ resources away from implementing robust and effective security measures and toward meeting government mandates.

Cybersecurity relies on the business community and the federal government working collaboratively. The regulatory approach provided in S. 3414 would likely create an adversarial relationship, which should be unacceptable to lawmakers. The Chamber urges Congress to not complicate or duplicate existing industry-driven security standards with government mandates and bureaucracies, even if they are couched in language that would mischaracterize these standards as “voluntary.”

The Chamber believes Congress can move the needle in a meaningful way on cybersecurity by approving the SECURE IT Act. The Chamber urges you to support amendments expected to be offered that would strike the text of S. 3414 and replace it with the SECURE IT Act of 2012. The Chamber strongly opposes S. 3414, the Cybersecurity Act of 2012 and may consider votes on, or in relation to S. 3414 in our annual How They Voted scorecard.

Sincerely,
R. Bruce Josten