The threats to America’s cybersecurity are serious and growing. They range from private hackers of individuals to state-sponsored cyberattacks on companies and government agencies and networks. Cyberthreats endanger the entire American financial and security system, including the flow of money in banks and the electrical grid. The federal government already has experienced at least 65 cybersecurity breaches and failures.
The Obama administration proposes to solve these problems by imposing heavy-handed federal regulations on Americans. Beware: It will not work. Far better would be a flexible, fast-acting system that can keep up with hackers or, better yet, stay one step ahead of them.
Most people understand the danger of identity theft. But as Heritage Foundation analysts Stephen Bucci, Paul Rosenzweig and David Inserra point out in a recent report, cyberespionage is far more costly. Cyberattacks from states such as China and Russia account for the loss of $250 billion every year in intellectual property.
Imposing an old-fashioned, top-down regulatory solution as the Obama administration and some in Congress want to do is tempting. After a proposed Senate cybersecurity act failed to pass, the administration issued an executive order that reflects this regulatory approach.
But heavy-handed regulation is a 19th-century solution to a 21st-century problem. Federal regulations are slow to implement, cumbersome to manage and unable to keep up with the rapid advances of hackers and cyberwarriors, who continually change their lines of attack. This approach ushers in a clumsy bureaucratic regime that undoubtedly will become even slower and more cumbersome over time. That is the nature of regulatory bureaucracy.
There is a better way. The rule of thumb for policymakers should be to encourage companies and other entities to find methods to better protect themselves from cyberattacks. They need to be able to share information voluntarily and protect themselves from liabilities associated with doing that, while ensuring that their proprietary information is safeguarded.
Companies sharing information on cyberattacks need to know that they will not be put at a competitive disadvantage in the marketplace. All shared information should be exempted from Freedom of Information Act requests and regulatory use. Moreover, private-public partnerships should be established so information could be shared fully and in a timely manner.
Developing a cybersecurity liability and insurance system would be another step in the right direction. As explained in the Heritage report, “such a system returns cyber-security liability to those who are largely responsible for cyber-security losses” i.e., not the consumer but the software manufacturers who, through negligence or other reasons, fail to offer safeguards against cyberincursions and companies that do little about security weaknesses in their cybersystems.
The Heritage report contains another innovative recommendation: Create a nonprofit organization that can assess the surety of an organization’s supply chain, similar to the way Underwriters Laboratories Inc. assesses the safety of various commercial products. Once a company is given a grade, consumers of software and technical equipment can decide for themselves how safe a purchase would be.
Finally, there is the critical issue of cyberattacks by states, terrorists and criminals. A model to pursue is the one used by the former Soviet state of Georgia in response to cyberattacks from Russia in 2012. The Georgian government planted a malware booby trap in a file that Russian intelligence hacked, foiling that attempt at espionage and, more importantly, identifying the perpetrator. U.S. companies should be allowed to execute similar operations, either in cooperation with law enforcement or on their own.
Cybersecurity is a complex problem. That is why a one-size-fits-all, top-down regulatory regime run by the federal government is unwise. To stay a step ahead of hackers, Americans need a system that empowers them to protect themselves.
-Kim R. Holmes, a former assistant secretary of state, is a distinguished fellow at the Heritage Foundation.
First appeared in The Washington Times.