When it comes to the critical issue of cybersecurity, Congress should work to reduce the fragmented and often conflicting burdens that are placed on industry instead of adding to the regulatory burden of American businesses, said Tom Ridge, chair the Chamber’s National Security Task Force.

“The Chamber is deeply concerned that a new regulatory regime would box in our critical infrastructures, hampering the freedom, agility, and innovation needed to deflect or defeat adversaries who are often quite amply resourced,” Ridge said during a Senate Homeland Security and Governmental Affairs Committee hearing on The Cybersecurity Act of 2012.

Ridge, former Secretary of Homeland Security and president and CEO of Ridge Global, called on policymakers to leverage and improve upon the sector-based risk assessments already being conducted by DHS or sector-specific agencies and industry under the existing National Infrastructure Protection Plan (NIPP).

Over the past few years, the Chamber has stated that it will support legislation, such as an information-sharing bill, that is carefully targeted toward effectively addressing the complex cyber threats that businesses are experiencing.

However, The Cybersecurity Act of 2012 goes much further and would authorize DHS to establish a regime for regulating the assets or systems of vital parts of the American economy. Given the discretion that government officials would have in designating “covered” critical infrastructure (CCI), the likelihood for DHS to regulate entities in many American communities is considerable, Ridge noted.

“The Chamber is concerned not only with the concept but with how it would be implemented,” Ridge said. “A regulatory program would likely become highly rigid in practice and thus counterproductive to effective cybersecurity—due in large part to a shift in businesses’ focus from security to compliance.”

The right path forward, Ridge said, is for the public and private sectors to work together to solve challenges, to share information between network managers, and foster investment and innovation in cybersecurity technologies. “The optimal way forward will not be found in layering additional regulations on the business community,” he said.