Reporting mandate may widen with new cybersecurity bill

By OhMyGov! Nov 22 2010, 11:11 AM

As Congress works toward comprehensive legislation on cybersecurity, at least one aspect is ripe for controversy: requiring private companies to report attacks on their own networks to the government.

The issue arose last week at a hearing by the Senate Homeland Security and Governmental Affairs Committee, chaired by Sen. Joe Lieberman (I-CT), reported NextGov. Lieberman is cosponsor of the 2010 Protecting Cyberspace as a National Asset Act (S. 3480), along with Maine Republican Susan Collins, who noted that 85 percent of the nation’s critical infrastructure is held by private entities.
Lieberman asked government and industry representatives at the hearing whether the Dept. of Homeland Security needed additional powers to respond to threats. The emergence of the malicious Stuxnet program, believed to be targeting commercial control systems such as those in power plants.
Companies and the government are working together to address cybersecurity risks. DHS only steps in when their cybersecurity services are requested, and has yet to specifically ask for new regulations. But the prospect of new reporting requirements isn’t being welcomed by everyone.

“The industry is already working very productively voluntarily,” said Mark W. Gandy, an information security manager at Dow Corning