On September 19, Sen. Jay Rockefeller (D-WV) sent letters to the CEOs at every Fortune 500 company seeking informtion on their companies’ cybersecurity practices and their concerns with respect to government involvement in protecting critical cyber infrastructure. Stating that he was "profoundly disappointed" in the Senate’s inability to pass comprehensive cybersecurity legislation in August, Sen. Rockefeller is urging President Obama to address cybersecurity issues through an Executive Order and is asking the CEOs for their views on cybersecurity, which he intends to use in support of future legislation.
Sen. Rockefeller asked the CEOs to respond by October 19, 2012 to the following eight questions:
– Has your company adopted a set of best practices to address its cybersecurity needs?
– If so, how were these cybersecurity practices developed?
– Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.
– When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
– Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
– What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
– What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
– What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?
A list of companies that received the letter is available here.