January 31, 2012 | WebMemo on Homeland Security
The Senate will move early next month to consider a comprehensive cybersecurity bill. The House, likewise, is pledged to consider legislation this year. The Administration has proposed a bill itself, and the political forces seem to be moving toward some form of legislative response to the growing problem of intrusion on the Internet.
As is often the case, however, with any bill that has the word comprehensive in its description, conservatives should be cautious in their approach and limited in their expectations. One hopes that as Congress moves forward, the ideas embodied in H.R. 3523—a work product of the House Permanent Select Committee on Intelligence and its two chairmen, Mike Rogers (R–MI) and Dutch Ruppersberger (D–MD)—will be given serious consideration.
The view that congressional experts can give us the “right” answer is always seductive but often wrong. The risks of error are even greater in a domain, like cyber, where innovations are rapid and technology ever-changing. The conceit that Congress can today set a fixed policy that will guide the nation’s cyber response for the next five to 10 years is ambitious—perhaps too much so.
Thus it is good to see at least one entrant in the field of competing cyber bills that has a more limited approach, one that advances incremental change without making the mistake of presuming to know all the answers.
H.R. 3523 starts from the premise that the private sector already does much to secure its networks and that the major gaps are in law and policy, not technology. Thus, the bill contends that private-sector actors need clearer authority, not more regulation, to detect threats and share information.
This approach rightly recognizes that there are substantial ambiguities in the law—enough to make cautious actors refrain from sharing cyber threat information within the private sector. Likewise, the Intelligence Community could assist the private sector by providing classified threat intelligence to enable self-defense of their networks (a model of sharing that has already been validated by the Defense Industrial Base [DIB] pilot project, recently transitioned from the Pentagon to the Department of Homeland Security).
Under the Rogers–Ruppersberger approach, ambiguities in the law would be eliminated. Private-sector entities would be given clear legal authority to defend their own networks and share cyber threat information with others in the private sector as well as with the federal government. The sharing would be purely voluntary but legal. This threat and vulnerability information shared with the government would be exempt from disclosure under the Freedom of Information Act and treated as proprietary information. In addition, the government would be prohibited from using the information in regulatory proceedings, and the private-sector actors would be protected against liability for sharing any information.
Other provisions of the bill would expand on the DIB pilot and allow the government to share classified cyber threat intelligence more readily with the private sector and suitably cleared individuals.
In short, these concepts are based on a cooperative public–private sector arrangement, where government cyber threat information is leveraged to enable the private sector to be aggressive in its own cyber defense. Instead of a command-and-control model that mandates certain actions and contemplates an expanded regulatory state, greater sharing within the private sector and between the government and private-sector actors is a modest first step that would, in a bipartisan way, attempt to harness the creativity and innovation of the American private sector.
Paul Rosenzweig is a Visiting Fellow in the Center for Legal and Judicial Studies and the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Kathryn and Shelby Cullom Davis Institute for International Studies, at The Heritage Foundation.