Article from :
Execs try to slow tech security rules
Wednesday, December 3, 2003 Posted: 10:18 AM EST (1518 GMT)
WASHINGTON (AP) -- Technology executives are trying to convince the
Homeland Security Department that costly new computer security rules
aren't needed, arguing their companies are already taking aggressive steps
to defend against hackers.
The behind-the-scenes lobbying is paying dividends. The administration is
reconsidering its support for a plan requiring publicly traded companies
to describe their hacker defenses to securities regulators.
That proposal was among the earliest outgrowths of the Bush
administration's strategy for securing cyberspace. Now industry lobbyists
and academics are being given a chance to rewrite the proposed legislation
to make it more palatable to them.
The influence of industry groups like the Information Technology
Association of America and the Business Software Alliance in shaping the
administration computer security policy has impressed some observers.
"They've driven it in many ways. They've been very, very effective," said
James Lewis, the technology policy director for the Center for Strategic
and International Studies, a Washington think tank.
Homeland Security officials are sensitive to suggestions that the largest
U.S. technology companies -- deeply concerned about the potential costs of
new regulations -- have exerted undue influence. But they defend working
closely with executives, noting the industry's ownership of most computer
networks and the U.S. government's hands-off preference toward most
"We're clearly not catering to special interests," said Amit Yoran, the
newly appointed director of the department's National Cyber Security
Division. But Yoran, a former executive at the antivirus firm Symantec
Corp., added: "To not allow for industry associations to provide us with
their input and their opinions would not be prudent. It would be
Homeland Security Secretary Tom Ridge was expected to solicit suggestions
from technology executives Wednesday during an appearance at a conference
in Santa Clara, Calif., organized with industry.
Executives there already have established working groups to advise the
Homeland Security Department on subjects that include how to set up
early-warning networks and encourage companies to design better software.
One early idea under consideration: professional licenses for software
writers, like those for doctors and engineers.
Last month, Ridge told technology executives it was "worthy and timely" to
consider requiring companies to disclose to the Securities and Exchange
Commission how well they're prepared for hacker attacks. But the
administration is reconsidering its support for that idea after technology
companies strongly objected.
"It is premature at this point to say that public companies need to have a
disclosure requirement," said Robert Holleyman, chief executive for the
Business Software Alliance, whose members include Microsoft Corp., Intel
Corp., Apple Computer Inc. and Cisco Systems Inc.
So far this election cycle, technology companies have contributed nearly
$5.6 million to candidates, split among Democrats and Republicans. That is
less than some industries -- such as banking or health care -- but more
than oil and gas interests.
Holleyman said new government rules are likely if companies don't
voluntarily improve their computer security. "If that challenge is not met
and a major cyberattack were to occur, then industry might have to deal
with legislation or a response that might not be as well thought out as
one would hope," he said.
The same lobbying approach proved successful five years ago when
technology companies were threatened with rules to better protect the
privacy of Internet users. Trade groups were able to show what they said
were pro-privacy measures companies were taking and largely avoid new
But critics believe a voluntary approach won't be adequate.
"Without legislation, how are you going to get people to enforce this?
You've either got to get a carrot or a stick," said Michael Rasmussen, a
vice president for standards and policy for the Information Systems
Security Association. "There's a lot of lobbying dollars there. Vendors
are throwing a lot of money around to protect themselves."
Stefanie B. Ploof
University of Vermont
CIT Client Services / CALS IT Office