AUDIE CORNISH, HOST:
A top priority in Congress this week, legislation to bolster cybersecurity. Lawmakers have introduced a variety of bills and the main difference among them is whether the government should require companies to build up their cyber defenses or just encourage them. NPR's Tom Gjelten reports that the White House is pushing hard for a mandate.
TOM GJELTEN, BYLINE: It's only been recently that the notion of an attack on U.S. computer networks even registered as a security threat, but there's now a big concern that an enemy could use cyber weapons to take down a power grid, a water treatment facility or a pipeline - in other words, the nation's critical infrastructure. The ability to defend against such an attack is improving. What's needed now are new laws and policies to support the nation's cyber defenses. On that, nearly everyone agrees.
But should private firms like power companies be required to protect their computer systems? That's the question. The White House says, yes. John Brennan is the president's counterterrorism and homeland security advisor.
JOHN BRENNAN: We believe, particularly in the area of critical infrastructure, that the companies that are responsible for that critical infrastructure need to meet certain standards of cybersecurity protection. This is where the debate is centered right now.
GJELTEN: Brennan says most companies on their own are spending the money, doing what they need to do to protect their computer systems from attack. They don't mind having to meet certain minimum security standards, he says, but other companies don't want to be told what to do.
BRENNAN: Some, for whatever reason, whether it be for monetary purposes or because they just have poor security practices, are reluctant to have the government set these standards.
GJELTEN: The White House strongly supports legislation pending in the Senate that would establish minimum cybersecurity standards companies have to meet. But that proposal has run into stiff opposition from business groups. An alternative bill moving on the House side only encourages better cybersecurity. Representative Dutch Ruppersberger, the ranking Democrat on the House intelligence committee told reporters last week that the bill would have the government issue alerts about imminent cyber attacks or dangerous new software, but the bill would not require that anything be done with that information.
REPRESENTATIVE DUTCH RUPPERSBERGER: It clearly goes to the private sector, who then uses their resources to protect their customers and themselves and it's only voluntary if they want to come back to the government.
GJELTEN: The question of whether to promote voluntary cybersecurity measures or require adherence to minimum standards will loom large in the legislative debate coming in the next few weeks. White House advisor John Brennan says the threat of cyber attacks is so serious that the government has a responsibility to make sure the nation's critical infrastructure is well protected.
BRENNAN: We have these standards when it applies to the aviation industry. We have it on so many different areas, I would think that the American would like some assurance that the water that they drink, that the electricity that they rely on is going to be protected. And we well know that they cyber threats that are out there are just growing every day.
GJELTEN: But it's not easy in an election year to promote new government regulations and additional mandates. Some advocate of tougher cybersecurity standards say it may just make sense to pass whatever measures are politically possible right now and then to build on them later when the threat of cyber attacks becomes more real than it may appear to be right now. Tom Gjelten, NPR News, Washington.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.