When we think of those who wish to do us harm, we usually picture an assailant armed with a gun, a missile or a bomb — someone who can hurt us physically.
That’s understandable, but we shouldn’t neglect the need to protect ourselves from another type of weapon, one that is gaining greater popularity among our enemies: the computer keyboard.
Adversaries such as Russia, China, and Iran have shown they’re willing to steal or destroy U.S. digital property to enhance their power or prestige. Terrorist groups such as Hamas and Hezbollah have also resorted to cyber-attacks, as have criminal organizations from around the world.
Whether they act on their own or use hired guns to do their dirty work, their weapon of choice is a virtual one. Ones and zeros trump an AK-47.
These attacks are not only dangerous, they’re costly. “Cyber-espionage is rampant, with U.S. companies estimated to be losing a staggering $250 billion every year in intellectual property,” note the authors of a major report from the Heritage Foundation, “Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace.”
Everyone can agree that something needs to be done to address this threat. The question is, what.
The good news is that Congress and the president haven’t been inactive; several bills have been introduced, and one even passed the House of Representatives. The bad news is that too many lawmakers favor an approach that’s heavy on regulations.
You don’t have to have a healthy distrust of big government to see why that’s a mistake. “Regulation, particularly federal regulation, is slow, cumbersome and static,” according to the Heritage report. “Once in place, regulations are very difficult to remove or even change.”
So how will regulations help us in the fast-moving, ever-evolving world of cybersecurity, where new threats crop up daily, if not hourly?
Consider the fact that the processing power of computers tends to double every 18 to 24 months or so. Now consider the fact that it takes at least 24 to 36 month to write and implement a major regulation. Any cybersecurity regulations that legislators come up with will be outdated the day they’re issued, and easily circumvented by savvy hackers.
So what can we do about it? There are several steps we can take, but a sensible policy should at least:
1.) Promote information-sharing: Today, numerous organizations and government agencies collect and analyze information regarding these threats and vulnerabilities.
But this information does little good unless it’s shared. So why wouldn’t it be? Several reasons. Some organizations fear being held liable if the information turns out to be wrong. Or they worry that sharing could allow competitors to access proprietary information through Freedom of Information Act requests. Or they’re concerned that regulators could use shared information against them.
With sensible protections, we can promote the sharing necessary to address credible threats.
2.) Clarify boundaries and standards for self-defense in cyberspace: We need to strike a reasonable balance here. Companies need to be able to take active measures to protect themselves without usurping the responsibility or authority of the federal government.
3.) Lead international cyberspace engagement: The United States should lead international efforts to “name and shame” nations that use that realm for malicious purposes, either against other nations or their own people.
To someone with a hammer, it’s said, every problem looks like a nail. To federal policymakers, every problem looks like something they can and should regulate. That needs to stop.
It’s time for them to think outside the government box and fashion a workable cybersecurity policy that protects us against one of the 21st century’s most growing threats.
- Ed Feulner is founder of The Heritage Foundation
Originally appeared in The Washington Times