Cybersecurity: How CEOs Are Planning to Fight Back
Cybersecurity shot to the top of the public policy debate with President Obama's issuance of an executive order on cybersecurity. Media report serious cyber attacks against business and government almost every day.
But the threats – and need for action – in the world of cybersecurity are nothing new to the more than 200 CEOs of leading companies that make up the Business Roundtable. Because these attacks routinely target the networks that BRT-member companies' businesses rely on, they are, in fact, a daily reality that receive constant attention from executives. Often these threats target the core of global business, posing risks to customers, suppliers, trade secrets and the delivery of critical services.
Attacks are largely unpredictable and can unfold in seconds or minutes, or in some instances, over the course of years. Alarmingly, cybersecurity threats of this magnitude represent risks to the public and private sectors that neither sector can unilaterally defend against.
(Read More: Cyberattacks: Why Companies Keep Quiet)
With so much at stake, the CEOs of the Business Roundtable have spent the past two years studying how government and business can work together more effectively to improve the nation's cybersecurity resilience. The result was our recent statement, "More Intelligent, More Effective Cybersecurity Protection," in which we argue for a more dynamic and sophisticated framework for dealing with constantly evolving cybersecurity threats.
From our perspective, business needs intelligence and tools from the government that only the government can provide and we believe that the foundation of any successful cybersecurity policy must be improved information sharing between business and government.
(Watch This: HP's CEO Whitman on Cyber Security: It's an Arms Race)
To accomplish such a framework, Congress should remove several impediments that have held public-private information sharing back for the past decade. For instance, today businesses lack adequate liability protections.
Consider these two examples:
- First, cyber attackers do not necessarily limit their activities to a single company; often they attack several companies in the same sector. But currently, companies cannot freely share information with competitors about these potential attacks because of antitrust concerns.
- Second, even though information sharing is the bedrock of an effective cybersecurity policy, the information shared will not always be 100 percent perfect. In the cases where companies and the government must make decisions with imperfect information, or when companies follow a recommendation from the government, BRT members believe liability protection is essential.
By issuing the executive order, the Obama administration took an important first step in setting the course for improved information sharing. At the same time, Congress must pass complementary legislation with strong liability and privacy protections so information sharing can work. While Business Roundtable has endorsed the Cyber Intelligence Sharing and Protection Act (CISPA) as a starting point for information-sharing legislation, we support further vigorous debate that leads to a bill that can pass both chambers of Congress and be signed by the President.
(Read More: Protecting Your Investments From Cyberterrorists)
Once information sharing is in place and producing threat information that government and business can act on, the nation needs a renewed focus on public-private risk management.
The President's executive order also addresses risk management by establishing cybersecurity standards to raise the bar on the protection of the nation's information assets supporting critical services such as utilities, water, gas and financial services. In the area of cybersecurity standards, we look forward to working with to the Administration to ensure that standards are risk-based, agile and can react to evolving cybersecurity threats. The President has directed an aggressive schedule for developing standards that will consume significant public and private resources, and Congress should closely monitor the process before taking action.
Finally, CEOs are committed to doing their part within the private sector to strengthen cybersecurity. CEOs will create and pay for programs that bring threat information into corporate risk management. CEOs will take action on significant cybersecurity risks, communicating to boards of directors about these risks and responses. Boards of directors must continue to oversee cybersecurity risks to corporations.
Our nation's attention to cybersecurity risks has reached a new level, reflecting the rising threats to America's national and economic security. CEOs have long given these threats the serious attention they warrant, but they need the tools to get the job done.
(Read More: Complete Coverage - Hacking America)
Liz Gasster is a Vice President for the Business Roundtable. In this role, she oversees the Information & Technology Committee, promoting policies that use technology to access new global markets and customers, and the Select Committee on Regulatory Reform, advocating for rules that promote growth instead of stifling business investment and opportunity.