, SecurityFocus 2001-03-28
Bennett says new SEC rules should require companies to disclose cyber security plans.
WASHINGTON--A key U.S. lawmaker wants the Securities and Exchange Commission (SEC) to force publicly traded companies to disclose their cyber security plans, or lack thereof, to the world.Senator
"It comes down to, I'll show you my security protections, if you'll show me yours," said Bennett. "That was part of the solution to Y2K."
In July, 1998, with the year 2000 changeover looming, the SEC issued a directive forcing public companies to include "full and fair disclosure" of their Y2K efforts in quarterly and annual reports. Specifically, corporations had to disclose their state of readiness, the amount they were spending on the problem, the risks the rollover posed to them, and their contingency plans in the event cyber calamity struck.
"Initially a lot of companies were not willing to do that," said Bennett. Corporations feared lawsuits and investor sell-offs, and loathed releasing information to competitors.
To counter that reluctance, in 1998 Bennett sponsored the Year 2000 Information Readiness Disclosure Act, which barred companies' Y2K disclosure statements from being used against them in most types of lawsuits. President Clinton signed the bill in October of that year.
Speaking at the Internet Security Policy Forum last week, Bennett said he generally supports voluntary industry cooperation over government regulation. "However, again, going back to the SEC example with Y2K, I think it's appropriate for government to facilitate transparency on the question of how secure you are," said Bennett.
Bennett argued that the same systemic interdependencies that made disclosure important in battling Y2K, make it important now in defending American infrastructure from cyber attack: Every individual and corporation is to some degree reliant on the security of other companies' networks, said Bennett.
"It may seem like an oxymoron to be discussing transparency and security in the same sentence," Bennett said. However, if "we have transparency and understanding at the level of preparedness and expertise in networks, then we can get confidence between those networks that I can share information with this one because I'll know it will be held secure."
Bennett's proposal touches on a longstanding debate in the computer security community over the risks and rewards of disclosing security measures.
"When you're talking about security, it's a different set of uses than when your talking about Y2K," says Douglas Sabo, vice president of information security programs with the Information Technology Association of America (ITAA), and industry trade group. "A lot of this is very confidential and sensitive information."
The risk, said Sabo, is that cyber attackers themselves might benefit from specific information on a company's security efforts.
But Sabo said that if the reporting requirements allow enough room for vagueness, new SEC regulations might indeed make cyberspace safer.
"I think it's something that may have some potential merit," said Sabo. "I think a lot of companies were moved to act faster on Y2K as a result of this, and they were given some [legal] protections as well."
An SEC spokesman no cyber security proposal is currently in front of the commission.