The U.S. government does not need to mandate IT security audit reporting because corporate America will adopt best practices voluntarily, industry lobbyists promised. But they said Congress could encourage the process by providing incentives, such as limited liability for security breaches, tax breaks for buying qualified products and an antitrust exemption for group boycotts of uncertified goods.
A broad cross-section of U.S. businesses have asked Congress to be allowed to establish security specification agreements for software and hardware purchases.
In a recommendation delivered to the House technology subcommittee, several industry groups are seeking an exemption from antitrust laws if they jointly refuse to purchase uncertified products.
The proposal, part of a set of recommendations covering a broad range of cyber-security practices meant to deflect the possibility of new regulations, was not received favorably by IT security providers.
"Im not sure if that necessarily works," Art Coviello, president and CEO of RSA Security Inc., of Bedford, Mass., told eWEEK. "All businesses have different requirements. And, quite frankly, they might not be qualified [to establish standards]."
Fragmenting security standards on an industry-specific basis could be counterproductive, said Bill Conner, chairman, president and CEO of Entrust Inc., of Addison, Texas.
"To the extent that you start getting industry-specific, youre working against yourself. We need a common framework that we can all measure to," Conner said. "As a supplier, you cant create eight different levels."
The antitrust exemption and other recommendations were delivered to Rep. Adam Putnam, R-Fla., who chairs the technology subcommittee. Last year, Putnam drafted legislation that would require publicly traded companies to file an information security status report as part of their yearly Securities and Exchange Commission filing. He postponed introducing the bill, however, and convened a Corporate Information Security Working Group to find alternative ideas.
The working group concluded that traditional regulations wont be effective when it comes to network security because national laws dont address the international nature of cyberspace. In addition, public disclosure of security problems could guide terrorists in their work, the group told Putnam. Instead of the "stick" of traditional government mandates, the industry is urging Congress to provide the "carrots."
Limiting liability for security breaches or providing safe-harbor protections could encourage the insurance industry to offer cyber-risk insurance—something that isnt widely offered today because the potential costs are considered too high. Increasing the availability and use of insurance would, in turn, encourage more companies to adopt best practices in order to receive favorable insurance rates.
The working group also suggested economic incentives for IT security investments, but it is widely agreed that the proposal would face a tough battle in the current budgetary climate.