April 17, 2013
By Kim R. Holmes, Ph.D.
The threats to America’s cybersecurity are serious and growing. They range from private hackers of individuals to state-sponsored cyberattacks on companies and government agencies and networks. Cyberthreats endanger the entire American financial and security system, including the flow of money in banks and the electrical grid. The federal government already has experienced at least 65 cybersecurity breaches and failures.
The Obama administration proposes to solve these problems by imposing heavy-handed federal regulations on Americans. Beware: It will not work. Far better would be a flexible, fast-acting system that can keep up with hackers or, better yet, stay one step ahead of them.
Most people understand the danger of identity theft. But as Heritage Foundation analysts Stephen Bucci, Paul Rosenzweig and David Inserra point out in a recent report, cyberespionage is far more costly. Cyberattacks from states such as China and Russia account for the loss of $250 billion every year in intellectual property.
Imposing an old-fashioned, top-down regulatory solution as the Obama administration and some in Congress want to do is tempting. After a proposed Senate cybersecurity act failed to pass, the administration issued an executive order that reflects this regulatory approach.
But heavy-handed regulation is a 19th-century solution to a 21st-century problem. Federal regulations are slow to implement, cumbersome to manage and unable to keep up with the rapid advances of hackers and cyberwarriors, who continually change their lines of attack. This approach ushers in a clumsy bureaucratic regime that undoubtedly will become even slower and more cumbersome over time. That is the nature of regulatory bureaucracy.
There is a better way. The rule of thumb for policymakers should be to encourage companies and other entities to find methods to better protect themselves from cyberattacks. They need to be able to share information voluntarily and protect themselves from liabilities associated with doing that, while ensuring that their proprietary information is safeguarded.
Companies sharing information on cyberattacks need to know that they will not be put at a competitive disadvantage in the marketplace. All shared information should be exempted from Freedom of Information Act requests and regulatory use. Moreover, private-public partnerships should be established so information could be shared fully and in a timely manner.
Developing a cybersecurity liability and insurance system would be another step in the right direction. As explained in the Heritage report, “such a system returns cyber-security liability to those who are largely responsible for cyber-security losses” i.e., not the consumer but the software manufacturers who, through negligence or other reasons, fail to offer safeguards against cyberincursions and companies that do little about security weaknesses in their cybersystems.
The Heritage report contains another innovative recommendation: Create a nonprofit organization that can assess the surety of an organization’s supply chain, similar to the way Underwriters Laboratories Inc. assesses the safety of various commercial products. Once a company is given a grade, consumers of software and technical equipment can decide for themselves how safe a purchase would be.
Finally, there is the critical issue of cyberattacks by states, terrorists and criminals. A model to pursue is the one used by the former Soviet state of Georgia in response to cyberattacks from Russia in 2012. The Georgian government planted a malware booby trap in a file that Russian intelligence hacked, foiling that attempt at espionage and, more importantly, identifying the perpetrator. U.S. companies should be allowed to execute similar operations, either in cooperation with law enforcement or on their own.
Cybersecurity is a complex problem. That is why a one-size-fits-all, top-down regulatory regime run by the federal government is unwise. To stay a step ahead of hackers, Americans need a system that empowers them to protect themselves.
-Kim R. Holmes, a former assistant secretary of state, is a distinguished fellow at the Heritage Foundation.
First appeared in The Washington Times.
Protect America Initiative of the Leadership for America Campaign
Kim R. Holmes, Ph.D.
Read More >>
Request an interview >>
Please complete the following form to request an interview with a Heritage expert.
Please note that all fields must be completed.
Heritage's daily Morning Bell e-mail keeps you updated on the ongoing policy battles in Washington and around the country.
The subscription is free and delivers you the latest conservative policy perspectives on the news each weekday--straight from Heritage experts.
The Morning Bell is your daily wake-up call offering a fresh, conservative analysis of the news.
More than 200,000 Americans rely on Heritage's Morning Bell to stay up to date on the policy battles that affect them.
Rush Limbaugh says "The Heritage Foundation's Morning Bell is just terrific!"
Rep. Peter Roskam (R-IL) says it's "a great way to start the day for any conservative who wants to get America back on track."
Sign up to start your free subscription today!
The Heritage Foundation is the nation’s most broadly supported public policy research institute, with hundreds of thousands of individual, foundation and corporate donors. Heritage, founded in February 1973, has a staff of 275 and an annual expense budget of $82.4 million.
Our mission is to formulate and promote conservative public policies based on the principles of free enterprise, limited government, individual freedom, traditional American values, and a strong national defense. Read More
© 2013, The Heritage Foundation Conservative policy research since 1973