TIA cautions against cybersecurity mandates

Lieberman and four other co-sponsors introduced a
revised version of his bill last week that softened provisions dealing with critical
infrastructure. It proposed to establish a program where companies operating
critical infrastructure could certify that their computer systems meet
certain cybersecurity standards in exchange for incentives. The changes
were made to mollify concerns voiced by Republicans and business groups
about the bill being too regulatory.

The five co-sponsors are hosting a press conference on Tuesday afternoon
to describe the changes made to the latest version of the cybersecurity
bill.

Danielle Coffey, TIA’s vice president for government affairs, said the
trade group is still reviewing the latest version of Lieberman’s bill
but noted it made “real progress” from the original one introduced
earlier this year. However, she added TIA is still weighing whether the
critical infrastructure provisions are “truly voluntary measures.”

“If it’s benchmarks and goal posts they want us to reach, and [also
create] a structure where regulations may or may not be imposed, that
leaves a lot open for the government to come up with regulations and
mandates in the future, even if it’s not the intention of this Congress
to impose them right now,” said Coffey.

In the white paper, TIA argues that improving information sharing about
cyberthreats between the government and industry would help critical
infrastructure operators immediately address bad code or other malicious
threats spotted on their computer systems. The white paper noted that
information sharing needs to happen in real-time and also voiced support
for the House’s Cyber Intelligence Sharing and Protection Act.

Lieberman, Sen. Susan Collins (R-Maine) and the other sponsors of the
cybersecurity bill have argued over the past year that information
sharing isn’t enough to combat the growing cyberthreat the nation faces
and standards for critical infrastructure also need to be a part of the legislative
solution. The senators have pointed to statements made by Gen. Keith
Alexander, head of U.S. Cyber Command, and former National Security
Agency Director Michael Hayden about how legislation should include some sort
of cybersecurity standards for critical infrastructure in addition to
information sharing measures.

Among the six policy recommendations listed in the report, TIA argues
for increased funding for cybersecurity research and development and
support of industry-developed cybersecurity best practices. It also
warns against the introduction of supply chain rules that would restrict
telecommunications equipment from being imported into the United
States, noting that the nation’s “global economic competitiveness could
be severely affected by other export markets adopting similar
restrictive policies.”

TIA’s member companies include Qualcomm, Raytheon, Apple and Cisco.