Two of the largest U.S. business-lobbying groups criticized aSenate cybersecurity bill aimed at shielding vital computernetworks, saying the measure would burden companies with unneededand costly regulation.

The bipartisan legislation introduced yesterday calls for theU.S. Homeland Security Department to identify systems critical tonational and economic security and set security rules foroverseeing companies and government agencies.

Lawmakers and regulators say rules are needed to fightincreasingly sophisticated cyber attacks capable of disruptingpower grids, banks and communications networks. Industry groupssaid the bill's broad approach may raise costs for businesses andbe too prescriptive, particularly for financial companies held tohigh security standards by regulators.

“If the end goal is to strengthen cybersecurity as we know it,why should we throw out what is working?” Peter Freeman, a vicepresident at the Washington-based Financial Services Roundtablerepresenting Bank of America Corp. and JPMorgan Chase & Co.,said yesterday. “Where existing structures have proven successfulwe shouldn't replace them.”

The U.S. Chamber of Commerce, the nation's biggest businesslobby, opposes a new regulatory program overseeing vital systemsand favors company incentives rather than rules to improvesecurity, Bobby Maldonado, a spokesman, said by e-mail yesterday.The group agrees with seven Republican senators in urging lawmakersto delay consideration of the bill and hold hearings before avote.

A Bloomberg Government study released Jan. 31 found thatutilities, banks and other operators of critical networks wouldhave to spend almost nine times more on computer defenses toachieve security capable of preventing 95 percent of attacks, anincrease to $46.6 billion a year from about $5.3 billion.

The study, conducted by the Ponemon Institute LLC, a TraverseCity, Michigan-based security-research firm, was based oninterviews with technology managers at 124 companies and 48government agencies.

The Senate Homeland Security and Governmental Affairs Committeescheduled a Feb. 16 hearing on the measure backed by Senators JoeLieberman, a Connecticut Independent, and Susan Collins, a MaineRepublican. Senate Majority Leader Harry Reid, a Nevada Democrat,has said he wants to bring the bill to the chamber's floor for avote as soon as possible.

Oracle, Cisco Support

Oracle Corp., a software and data-storage services supplier, andCisco Systems Inc., a networking products provider, sent a letteryesterday supporting the bill to Reid, Lieberman, Collins andSenator Jay Rockefeller, a West Virginia Democrat. The legislationincludes provisions that “will enhance the nation's cybersecuritywithout interfering with the innovation and development processesof the American IT industry,” the companies said.

A letter expressing reservations about Reid's plans for swiftaction on the measure by the full chamber was signed by Kay BaileyHutchison of Texas, John McCain of Arizona, Charles Grassley ofIowa, Saxby Chambliss of Georgia, Lisa Murkowski of Alaska, JeffSessions of Alabama and Mike Enzi of Wyoming.

The push for comprehensive cybersecurity legislation hasintensified following attacks last year on companies including NewYork-based Citigroup Inc., the third-largest U.S. bank by assets,and Bethesda, Maryland-based Lockheed Martin Corp., the world'slargest defense company.

“We are on the brink of what could be a calamity,” Rockefellersaid in announcing the bill on the Senate floor. “A widespreadcyber attack could potentially be as devastating to this country asthe terror attacks that tore apart this country 10 years ago.”

Under the legislation, the Homeland Security Department wouldhave the power to identify systems that may cause mass casualtiesor catastrophic economic damage when attacked. The agency would setregulations requiring operators of critical networks to improvesecurity. Companies would have to show that their networks aresecure or face penalties.

Other industry groups took a neutral approach to the bill.

The Senate legislation “is a careful and bipartisan approach” toprotect critical systems “without forcing unnecessarily broadmandates on industry,” said Dan Varroney, acting president ofTechAmerica, a Washington trade group whose members include AppleInc., International Business Machines Corp. and Dell Inc.

Further Changes Sought

He said his group seeks further changes to ensure the billdoesn't impede industry's “ability to continue to innovate and beflexible to respond to the evolving cyber threat landscape.”

The Edison Electric Institute, which represents investor-ownedutilities including Southern Co. of Atlanta and Exelon Corp. ofChicago, hasn't taken a position on the Senate bill, Dan Riedinger,a spokesman for the Washington-based industry group, said in aphone interview.

Dave Scanzoni, a spokesman for Duke Energy Corp., declined tocomment on the legislation, saying his group supports a “uniformnational approach to cybersecurity.”

The debate over cybersecurity legislation is unfolding amidincreased concerns that U.S. networks are vulnerable to theft andsabotage. Hackers from China and Russia are pursuing Americanindustrial secrets, jeopardizing an estimated $398 billion in U.S.research, according to a Nov. 3 report from the NationalCounterintelligence Executive, an advisory panel of senior U.S.security officials.

Companies with payroll and other corporate accounts lose about$1 billion a year because of hackers based mostly in EasternEurope, according to Don Jackson of Dell SecureWorks. Hackers sellstolen credit-card data as little as $3.50 per card on undergroundbazaars, an investigation by Bloomberg News showed last year.

More than 80 U.S. law firms have been targeted by China-basedhackers intent on acquiring their clients' deal data to giveChinese companies an edge investments and negotiations, accordingto Mandiant Corp., an Alexandria, Virginia-based cybersecurityfirm.

While disagreement exists on when hackers will disrupt criticalU.S. networks, most authorities say it will occur within the nextcouple of years, James Lewis, director of the technology and publicpolicy program at the Center for Strategic and InternationalStudies in Washington, told the House Energy and CommerceCommunications and Technology Subcommittee during a Feb. 8hearing.

The government and companies should work together to map outcomputer security deficiencies rather than impose a broadregulatory framework, Robert Dix, vice president of governmentaffairs for Sunnyvale, California-based Juniper Networks Inc., ahardware and software provider, said in an interview Feb. 8.

“Let's take the chewable bites,” said Dix, whose company makescomputer hardware and software. “Let's pass it, get traction andthen build on it.”

The Senate bill is S. 2105.

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.