WASHINGTON (Reuters) - A Republican task force in the House of Representatives said Congress should give companies incentives to boost their cyber defenses, but that tougher regulation may be warranted to protect critical facilities like power and water plants.
Recommendations in the report, which was released on Wednesday, can “reasonably be acted upon during this Congress,” which ends in January 2013, said the task force of 12 Republicans headed by Representative Mac Thornberry.
Senate Democratic Leader Harry Reid’s office is overseeing the drafting of a comprehensive cybersecurity bill aimed at combating breaches and theft from company and government computer networks. But progress has been slow.
The Thornberry report appeared to reject Reid’s comprehensive approach, arguing for a more piecemeal strategy to avoid unintended consequences.
“We think that it is very important that you get the details right,” Thornberry told Reuters.
The report also appeared to be skeptical of government regulation to strengthen cyber defenses with the exception of critical facilities like nuclear power, electricity, chemical and water treatment plants.
“Congress should consider carefully targeted directives for limited regulation of particular critical infrastructures,” the Thornberry report said.
White House spokeswoman Caitlin Hayden said the Obama administration was still reviewing the House report but thought it “reflects a common belief” in the need to confront cyber threats to U.S. national security.
“We remain committed to the passage of cybersecurity legislation and look forward to working ... on the swift accomplishment of this goal,” she said.
U.S. lawmakers have considered several cybersecurity bills in recent years, but failed to pass any despite a growing sense of urgency following hacking attacks on Google Inc (GOOG.O), Lockheed Martin Corp (LMT.N), the Pentagon’s No. 1 supplier, Citigroup (C.N), the International Monetary Fund and others.
Among the many obstacles to cyber legislation are overlapping jurisdictions in Congress and disagreement over how much a role government should play in regulating and protecting private networks.
Congress, meanwhile, has spent much of the recent months in bitter battles over the budget and national debt.
Paul Smocer of the Financial Services Roundtable, which represents banking, securities, investment and insurance firms, said a cyber bill “probably has a better chance now than it’s ever had” in spite of Washington’s rancor over debt and taxes.
“Obviously Congress is dealing with a lot of key issues. But we are seeing some momentum behind the introduction of legislation and in its consideration, more so than we have seen in quite a while,” he said.
Cameron Kerry, the Commerce Department’s general counsel, said on Tuesday there was “a good chance” that some significant cybersecurity legislation could win approval by March.
“This is a difficult political environment to get things done but you’ve seen that there are times that you can get bipartisan agreement on legislation,” he said.
The Ponemon Institute said in an August report that cyber attacks cost U.S. and multinational organizations $1.5 million to $36.5 million per year for each of the 50 companies surveyed.
The National Association of Manufacturers, which represents 11,000 companies, said Congress should avoid “imposing a prescriptive regulatory framework” and instead put forward incentives for firms to get fully up-to-speed on cyber security.
But Howard Schmidt, the top White House cyber official, said putting into law “established good business processes” was needed to ensure that lights stay on, water is drinkable and phones work if tech-savvy criminals target the computer networks that make public utilities vulnerable to attack.
The House report also urged legislation to improve information sharing between the government, Internet service providers, or ISPs, ISP customers and others in a position to know about malicious traffic on networks.
The administration is beginning a similar effort by creating guidelines for ISPs to notify customers whose computers have been wrangled into a botnet, essentially a network of computers disseminating malicious software unbeknownst to their owners.
Thornberry liked the idea. “I think that’s a wonderful development,” he said. “To what extent the government should be involved, that’s not quite clear.”
Editing by Eric Beech and Paul Simao