The GOP members on the House panel gave full credence to the concern that a regulatory mandate, such as the one provided for in the comprehensive Senate bill, would invite harmful repercussions that could actually undermine the nation's security posture.
"Any sort of legislative effort that would provide overbroad regulation or certification regimes," Terry said, "would have unintended consequences."
Added Florida Republican Cliff Stearns, "Prescriptive, top-down government mandates are not only unnecessary, but they simply will not work."
Making the Complex More Complicated
Industry opponents to new cybersecurity regulations acknowledge the severity of the threats. On that point there is little political disagreement. But advocates of a hands-off approach argue that adding a new set of regulatory and compliance requirements through comprehensive cybersecurity legislation would be counterproductive, only serving to further complicate an Internet ecosystem and threat landscape that already are bewilderingly complex.
"When you write a law we do paperwork," Ed Amoroso, AT&T's senior vice president and chief security officer, told the lawmakers. He and other representatives of the telecom sector on hand to testify on Wednesday argued that as consumer-facing operations, their companies have every incentive to ensure that their networks are secure, and indeed already have robust security procedures in place that would hardly be improved by additional government oversight.
"If we're already doing it and government comes in and says you need to fill out this compliance checklist, you're taking people away [from their work on security]," Amoroso said.
By that approach, the government's role would be confined to facilitating information sharing by removing antitrust barriers and enacting liability protections to shield companies that do share information and maintain a reasonable security apparatus from civil litigation.
"I don't think there's an agency in a position to solve a problem that we can't solve ourselves," Amoroso said. "I'm not really sure what they should be telling us. That's the problem."
The nods of agreement among many lawmakers on the dais at that sort of comment suggested the uphill climb any comprehensive measure that emerges from the Senate would face in the lower chamber.
The information sharing and liability-protection measures are far less controversial. As are proposals that some of the witnesses at Wednesday's hearing advocated, such as efforts to improve the government's own cybersecurity posture, boosting research and development and promoting security in computer education programs.