Bill Would Have Businesses Foot Cost Of Cyberwar With a raft of cybersecurity proposals under consideration in Congress, the U.S. business community is making increasingly clear that it opposes new regulations that would require private companies to adhere to minimum performance standards or report all cyber intrusions they experience to the government.

Bill Would Have Businesses Foot Cost Of Cyberwar

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


Almost every day, we hear new warnings that critical U.S. computer networks could be taken down by foreign adversaries, cyber-criminals, maybe even terrorists. This week has brought the news that gas pipeline companies in the United States may be dealing with a round of cyber-attacks. Over the next few days, we'll be exploring how the country could improve its cyberdefense. And here's the first question: Is it up to the government to make sure that our computers are protected, or is this a job for private industry? NPR's Tom Gjelten has the story.

TOM GJELTEN, BYLINE: What makes the cybersecurity challenge so difficult is that most of the really important computer networks - the ones that control the power grid, the banking system, food distribution, water treatment - are privately owned. So, if there were a big cyber-war and the enemy went after those computers, the companies that run them would have to take care of the networks themselves. There's no national cyber-army to defend them. Government officials make that point every chance they get. Frank Montoya, the country's top counterintelligence official, speaking last month at a cybersecurity conference, reminded the businesspeople in his audience how much has changed since World War II, when the U.S. military did the fighting and private industry played only a support role.

FRANK MONTOYA: Let's fast-forward to the 21st century. We're an information-based society now. Information is everything. That makes you, as company executives, the frontline - not the support mechanism, the frontline in what comes.

GJELTEN: But is private industry up to that challenge? Recent studies suggest companies are not doing a good job protecting their networks, not spending close to what's necessary to make their computers secure. So, the big new idea: Require companies to improve their cybersecurity with the government then checking on them. It's in a bill introduced by Senators Joe Lieberman of Connecticut, Susan Collins of Maine and others. Not surprisingly, business leaders don't like it.

LARRY CLINTON: The major concern is the vast regulatory structure that would be set up at the Department of Homeland Security.

GJELTEN: Larry Clinton is president of the Internet Security Alliance, representing many companies with a stake in the cybersecurity debate. An interesting point here: The debate is not strictly partisan. The big dividing line isn't so much between Republicans and Democrats, as between the business community and the national security establishment. Stewart Baker was an assistant secretary of Homeland Security under George W. Bush. He's a Republican, and he's normally pro-business and anti-regulation, but not when it comes to cyberdefense.

STEWART BAKER: I see a big conflict between the desire to avoid regulation and the desire to protect national security. I come down more on the national security side of that debate.

GJELTEN: And he's not alone. On that same side are Mike McConnell, President Bush's director of national intelligence, and Michael Chertoff, President Bush's secretary of Homeland Security. Stewart Baker says it's no surprise that national security-types think government should require companies to do a better job protecting their computer networks.

BAKER: When you've had responsibility and had to live with the possibility that tomorrow, you'll wake up, and on your watch, something very bad has happened, you have a different view about the importance of being able to do something about it.

GJELTEN: On the other hand, national security leaders don't necessarily have much experience running a private business. Larry Clinton from the Internet Security Alliance says it's just a case of two cybersecurity perspectives.

CLINTON: The legally mandated role of the government is to provide for the common defense. And they're willing to spend pretty much whatever it takes to do that. If you are in a private organization, your legally mandated responsibility is to maximize shareholder value. You can't spend anything on any cyber-threat. You have an entirely different calculus that you have to put into effect.

GJELTEN: Clinton agrees companies do need to spend more on cyberdefense than they're spending now - more on new technology, monitoring and security consultants. But just requiring companies to spend that money without regard for whether they can afford it doesn't make sense, he says.

CLINTON: Whether we like it or not, we're going to have to figure out a way to get private companies to make, on a sustainable basis, investments that are not justified by their business plans, and simply telling them, well, you have to ignore your business plan. It's not a sustainable model. We have to find a way to make it economic.

GJELTEN: National security leaders say there are times when the country simply has to make an investment, whether it makes business sense or not. A massive cyber-attack would be devastating. OK, says Larry Clinton, so let the government pick up the check.

CLINTON: If the government was interested in paying the private sector to do all of these things, probably we would go a long way towards doing it. But the government so far - well, the Lieberman-Collins Bill - wants it all done for free. They want the businesses to simply plow that into their profit and loss statement, and the numbers are staggering. You simply can't do it.

GJELTEN: How to get private companies to do what the country needs them to do is probably the toughest question in the debate over what new cybersecurity laws are needed. But it's not the only issue. Another is how to make it easier for government and industry to share what they each know about emerging cyber-threats. Why that's so important is tomorrow's story. Tom Gjelten, NPR News.

Copyright © 2012 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.