WASHINGTON – Technology executives are trying to convince the Homeland Security Department (search) that costly new computer security rules aren't needed, arguing their companies are already taking aggressive steps to defend against hackers.
The behind-the-scenes lobbying is paying dividends. The administration is reconsidering its support for a plan requiring publicly traded companies to describe their hacker defenses to securities regulators.
That proposal was among the earliest outgrowths of the Bush administration's strategy for securing cyberspace. Now industry lobbyists and academics are being given a chance to rewrite the proposed legislation to make it more palatable to them.
The influence of industry groups like the Information Technology Association of America (search) and the Business Software Alliance (search) in shaping the administration computer security policy has impressed some observers.
"They've driven it in many ways. They've been very, very effective," said James Lewis, the technology policy director for the Center for Strategic and International Studies (search), a Washington think tank.
Homeland Security officials are sensitive to suggestions that the largest U.S. technology companies — deeply concerned about the potential costs of new regulations — have exerted undue influence. But they defend working closely with executives, noting the industry's ownership of most computer networks and the U.S. government's hands-off preference toward most Internet concerns.
"We're clearly not catering to special interests," said Amit Yoran, the newly appointed director of the department's National Cyber Security Division (search). But Yoran, a former executive at the antivirus firm Symantec Corp. (SYMC), added: "To not allow for industry associations to provide us with their input and their opinions would not be prudent. It would be irresponsible."
Homeland Security Secretary Tom Ridge was expected to solicit suggestions from technology executives Wednesday during an appearance at a conference in Santa Clara, Calif., organized with industry.
Executives there already have established working groups to advise the Homeland Security Department on subjects that include how to set up early-warning networks and encourage companies to design better software. One early idea under consideration: professional licenses for software writers, like those for doctors and engineers.
Last month, Ridge told technology executives it was "worthy and timely" to consider requiring companies to disclose to the Securities and Exchange Commission how well they're prepared for hacker attacks. But the administration is reconsidering its support for that idea after technology companies strongly objected.
"It is premature at this point to say that public companies need to have a disclosure requirement," said Robert Holleyman, chief executive for the Business Software Alliance, whose members include Microsoft Corp. (MSFT), Intel Corp. (INTC), Apple Computer Inc. (APPL) and Cisco Systems Inc. (CSCO)
So far this election cycle, technology companies have contributed nearly $5.6 million to candidates, split among Democrats and Republicans. That is less than some industries — such as banking or health care — but more than oil and gas interests.
Holleyman said new government rules are likely if companies don't voluntarily improve their computer security. "If that challenge is not met and a major cyberattack were to occur, then industry might have to deal with legislation or a response that might not be as well thought out as one would hope," he said.
The same lobbying approach proved successful five years ago when technology companies were threatened with rules to better protect the privacy of Internet users. Trade groups were able to show what they said were pro-privacy measures companies were taking and largely avoid new privacy laws.
But critics believe a voluntary approach won't be adequate.
"Without legislation, how are you going to get people to enforce this? You've either got to get a carrot or a stick," said Michael Rasmussen, a vice president for standards and policy for the Information Systems Security Association. "There's a lot of lobbying dollars there. Vendors are throwing a lot of money around to protect themselves."