Lawmakers Drafting IT Security Requirements

Lawmakers spur their efforts to make the nation's cyber-infrastructure secure.

Lawmakers are getting less subtle with their demands that vendors and network operators do everything possible to make the nations cyber-infrastructure secure. Even legislation dictating IT security requirements—regarded as a last resort—is in the works and slated for introduction by years end.

Advising corporations to "get their house in order" and demonstrate that regulation is unnecessary, Rep. Adam Putnam, R-Fla., chairman of the subcommittee on technology and information policy, said last week that legislation is in development.

"As we dig in, as we learn more, there are areas where I believe the subcommittee will be drafting bills toward the end of this year that will affect the private sector," Putnam told a group of IT vendors and policy-makers at an e-government forum sponsored here by the Business Software Alliance and the Center for Strategic and International Studies.

The government does not have to actually set technology standards to achieve the goals of securing networks, Putnam said. Instead, it could require public companies to disclose IT security audit results in Securities and Exchange Commission reports, similar to how Y2K security measures were reported.

Reaction from the private sector to a potential security reporting requirement is lukewarm. "Some of the examples we set on Y2K about being prepared provide a good model," Robert Holleyman, CEO and president of the Business Software Alliance, told eWEEK. "Its an open question, though, whether security audits should be required. Y2K was a one-time risk."

Lawmakers are also looking at establishing a standard evaluation template, similar to the one used by the Department of Defense, for non-DOD programs, and they may consider implementing a federal testbed for security patches, Putnam said.

The federal government has taken "a dangerously lopsided approach to a comprehensive homeland security" program, and cyber-security is not being given the same level of attention as physical security, Putnam charged. "Im finding a lack of attention and a lack of understanding by the Congress and by the administration as to the serious nature of the threat," he said.

Eager to ward off regulation, the industry is quick to point out that the federal government is still the biggest consumer of technology and that its purchasing power can be employed to promote improved security.

"We are a simple beast, and we are [motivated] by simple things," Tim Hoechst, senior vice president for technology at Oracle Corp., of Redwood Shores, Calif., said at the forum. "What [motivates] us is what our customers buy."