Senator Rockefeller Says "Voluntary Cybersecurity Regulations Really Mandatory"

By Paul Rosenzweig
Wednesday, September 19, 2012, 10:33 PM

OK.  I admit it.  I made up the quote that is the title of this post.  Senator Rockefeller never said any such thing.  But he did almost as much by demonstrating (probably by accident) why industry fear the specter of "voluntary regulations."

When last we left the cybersecurity regulatory debate, before the August recess, the supporters of a regulatory structure had made what they said was a significant concession -- instead of being mandatory the standards that DHS would develop would be voluntary.  There would be incentives to adopt these voluntary standards (liability protection, preferential access to classified threat information, and a procurement preference) but, they said, companies would be free to ignore the standards if they wanted to.  Industry responded that they feared the voluntary standards would become mandatory but regulatory supporters derided those fears as unfounded.

Now lets fast forward to September.  Just the other day, Senator Rockefeller, a supporter of the regulatory system, send a long letter to the CEOs of all the Fortune 500 companies.  While expressing mock surprise that any American company could possibly be opposed to good cyber regulation and condemning the "filter" of Beltway lobbyists (like the Chamber of Commerce) who must be misleading the poor CEOs, he posed a series of eight highly detailed questions about each companies cybersecurity policies and asked for written responses within a month.

Now let's leave aside the unseemliness of a single Senator (however rich and powerful he might be) attempting to bully his opposition into submission.  In the end, his request for information does not have the force of law and thus any response to his letter will be, de jure, voluntary -- in exactly the same way that the cybersecurity regulatory system the Senator supports would be voluntary as a matter of law.

But sometimes the mask slips a little bit and we see the naked coercive nature of such requests for "voluntary" compliance.  Siobhan Gorman of the Wall Street Journal had a report on the Senator's letter to industry that is revealing for its candor.  According to Gorman:

Sen. Rockefeller's inquiry is unusual in its breadth, reaching 500 companies. In the past, he has requested information from smaller numbers of companies, and firms have almost always responded.

"When a member of Congress sends a letter asking for information, the assumption is that letter will be responded to," said committee spokesman Vincent Morris. "I'd be very surprised if they did not respond."

The Fortune 500 includes CEOs running companies that handle a range of industries, from electric and banking to retail and manufacturing. They aren't required to respond, as they would with a subpoena, but they are asked to provide the information by Oct. 19.

So there you have it.  Voluntary isn't really voluntary.  Companies feel obliged to "almost always respond" and the Senator's spokesman would be surprised if they didn't this time as well.  Indeed, the assumption is that they will respond.

And its a good assumption.  When a powerful Senator asks you a question, you decline to answer at your peril.  In the words of Don Corleone he is making you an offer you can't refuse -- and he knows it.  And when a powerful agency, like DHS, sends you a set of voluntary cybersecurity standards ... it's probably also an offer you can't refuse.

And that, in a nutshell, is why voluntary standards are no panacea.  The Chamber should thank Senator Rockefeller for making their point for them.