Efforts to Regulate Cybersecurity Miss Mark

COMMENTARY Cybersecurity

Efforts to Regulate Cybersecurity Miss Mark

Oct 3rd, 2012 2 min read
Steven P. Bucci, Ph.D.

Visiting Fellow, Douglas and Sarah Allison Center

Bucci is a visiting fellow who focuses on cybersecurity, military special operations, and defense support to civil authorities.

Foreign cyber attacks threaten both our critical infrastructure (think power plants) and our “digital lives” (think on-line banking).  The Russians are very sophisticated. The Chinese use overwhelming numbers of hackers.  The Iranians, while not in the same league as the others, are in there cyber-swinging as well.  Add in criminals, terrorists, and individual political agendas, and the cyber threat “stew” is thick and potent.  It’s a real problem that must be addressed. 

Congress recently tried, but failed, to pass a comprehensive cyber security bill.  Now, the President is threatening to impose rules through an Executive Order.  That would be a mistake, for two reasons.  First, the Executive Branch should never just blow off Congress.  Second, the President’s advisors are recommending the wrong approach. 

Washington’s standard “regulate the problem to death” approach just won’t cut it.  We’re not talking about auto safety issues here.  We’re talking about a constantly evolving, constantly changing threat.  The government regulatory process is too slow, and the regulations too static, to help in the “million mile an hour” world of cyber.  The bad guys will simply go around yesterday’s regulatory “solution” with today’s (or tomorrow’s) new attack technique.  We need to act, but not smartly, and with positive effect.

To improve cyber security through legislation, it is essential that the proposal: promote info sharing, provide for cyber insurance, improve the cyber supply chain, establish a cyber right to self-defense, and push public cyber know-how.

Better info sharing about cyber attacks is always talked about, but seldom enabled.  Companies that have been attacked may have already incurred high-cost damages and be reluctant to talk about it for fear of scaring away more business. Rather than demand that they share info, rules should encourage them to share.  Sharing incentives include: affording them protection from lawsuits; letting them remain anonymous (so their stock prices don’t plummet); shielding the data shared with the government from Freedom of Information Act requests; and assuring them that the Government will relay actionable information to other companies fast and effectively. 

Legislation must also foster development of a true cyber insurance business.  What’s needed is an independent, non-government organization to set truly dynamic and flexible standards for what constitutes best practices in various industry sectors.  Then the present insurance industry will have “actuary tables” from which they can sell valid insurance.  The better your company’s security, the less you pay in premiums.

Given that the components of computers, tablets, smartphones, and pretty much everything else are made all over the world (including cyber threat countries like China), the cyber supply chain needs to be protected.  Again, a non-government organization, which can inspect supply chain practices, operations, and security methods, should be established.  It can give grades to a tech company’s operation, much like Underwriters Limited (those guys who put the stickers on the back of toasters and TVs) evaluates the safety of other products.  Companies that get very high grades can charge more for their products.  Buyers who want to economize can take a chance with less expensive but potentially less secure items.  The customer makes an informed risk-based decision.

Presently, companies do not know what rights they have to protect themselves from hackers.  If they are attacked, can they fight back?  If lawmakers don’t want cyber-vigilantes, they should articulate parameters for self defense that are legitimate and well known.

Lastly, lawmakers should push awareness, education and training initiatives to combat both the ignorance and the hype about the cyber-threat.  Give people the truth of what they need to know about cyber threats, and give them the tools to play a role in protecting themselves, their homes, and their businesses.  This should be done early, often, dynamically, and continuously.

Rather than short circuit the democratic process, the White House should give Congress a chance to develop a law that provides the above elements. 

--Steven Bucci is Senior Research Fellow for Defense and Homeland Security at The Heritage Foundation (www.heritage.org).

First appeared in The Washington Times.