THE PRIVATE SECTOR:  A RELUCTANT PARTNER IN CYBERSECURITY  97

           measures. Senator Jay Rockefeller has argued that offering “safe harbors”
           against liability for damages to third parties caused by breaches of cyber-
           security in exchange for company compliance with President Obama’s
           new framework would not lead companies to develop dynamic, effective
           cybersecurity measures. Instead, “such an approach would likely have the
           opposite effect. . . . Giving companies unprecedented liability protections
           based on cybersecurity standards that they themselves have developed
           would increase the likelihood that the American taxpayers will one day
           find themselves on the hook for corporate bailouts of unknown scope fol-
           lowing a cyber disaster.” 27

                         C. A Reluctant Federal Government

           In face of strong private sector opposition, the federal government has
           largely resorted to cajoling the private sector to implement cybersecurity
           measures and has eschewed mandatory regulation. Stewart Baker, who
           served as Assistant Secretary for Policy at the Department of Homeland
           Security, has described the fate of cybersecurity proposals advocated by
           Richard Clarke, the first White House cybersecurity czar. According to
           Baker, the proposal “sidled up toward new mandates for industry, would
           have formed a security research fund that would have drawn on contribu-
           tions from technology companies, and would have increased pressure on
           Internet companies to provide security technology with their products.
           However, these requirements were viewed as too onerous for business by
           many within the Bush administration, and ultimately anything that could
           offend industry, anything that hinted at government mandates, was stripped
              28
           out.”  One bill proposed by Congress initially “called for mandatory mini-
           mum security standards” for the private sector, but the Chamber of Com-
           merce and other corporate representatives opposed the regulations. To
           salvage the bill’s chances of passing, it was rewritten to advocate voluntary
                                         29
           standards; nonetheless, the bill failed.  And President Obama, in a 2009
           address regarding cybersecurity policy, explicitly stated, “My administration
           will not dictate security standards for private companies.”
             Instead, the federal government has recently taken a number of pre-
           liminary steps to encourage the private sector to adopt more stringent
           cybersecurity measures. In August 2013, it identified a number of possible
           incentives that could be used to entice the private sector to adopt cyber-
           security best practices, including “cybersecurity insurance, federal grants,
           and legal protections for companies that invest additional money in cyber-
                        30
           security efforts.”  The government also offered guidance to sixteen critical
           infrastructure sectors about how to shield themselves from cyber attacks,
                                                          31
           but did not mandate compliance with its recommendations.  The General