June 17, 2009 | WebMemo on Department of Homeland Security
On May 29, the Obama Administration released the results of its 60-day cyber review. The review correctly emphasized the vital role of the private sector in any future national cybersecurity strategy. Involving the private sector effectively, however, will require a liability protection regime--one that encourages industry to invest in cybertechnologies that protect against acts of cyberterrorism.
This can best be accomplished by the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, which provides liability protection for manufacturers whose products and services are used in combating terrorism. Congress should support the continuance and expansion of the SAFETY Act, and the Administration should ensure that the act's protections are used effectively in the cyber realm.
The Cybersecurity Review
President Obama ordered a 60-day review of the nation's cybersecurity efforts in February. Major cyberattacks, including one on the nation of Georgia, and a constant barrage of hackings on major financial institutions and retailers like T. J. Maxx and Marshalls (a hacker stole $45.7 million in credit and debit cards in 2007) have led the drive for a comprehensive assessment of cyber capabilities, challenges, and recommendations going forward.
The review highlights several major aspects of the national cyber realm, including the role of the federal government, a description of the nation's cyber problem, and recommendations for the future. The role of the private sector in helping to tackle the problem was also well documented in the review, including the need for more federal government-private sector partnerships.
The review further noted the need to continually invest and research new technologies to stop cyberattacks. Specifically, it called for the federal government to "harness the full benefits of technology> to address national economic needs and national security requirements." But the review emphasized the private sector's role in meeting this goal.
The Importance of the Private Sector in Cyber Protection
The private sector remains a pivotal partner in ensuring the safety of cyber infrastructure for the following reasons:
Even with the financial benefits of developing new cybertechnologies, the private sector will not invest in these new technologies if the benefits of doing so are outweighed by the risks. For example, companies are less likely to create and market a new product if a lawsuit stemming from it could destroy their entire business.
After the 1993 World Trade Center bombing, the New York Supreme Court upheld a decision that found the Port Authority of New York and New Jersey liable for the bombing. The court's reasoning: The Port Authority was aware of the threat and did not take reasonable steps to mitigate it. After 9/11, insurance premiums for terrorism-related risks skyrocketed, and a number of firms stopped offering terrorism insurance. This kind of liability and potentially devastating jury verdicts have made many companies hesitant to research, develop, and market anti-terrorism technologies.
But America simply cannot afford to let the private sector stop innovating. Recognizing this problem, Congress enacted the SAFETY Act, which lowered the liability risks of manufacturers that provide products and services used in combating terrorism by giving government-certified technologies protection from suit if the technology> failed or was involved in an act of terrorism. The SAFETY Act applies to a multitude of anti-terrorism technologies and includes those used to ward off cyberattacks.
How to Involve the Private Sector
The SAFETY Act continues to play an important role in ensuring that the U.S. does not lose its footing in the cyber domain. America needs companies to continue to develop technologies that keep the U.S. safer, both physically and virtually. As part of a future cyberstrategy, the Obama Administration should:
Support the Private Sector
The Obama Administration is right to place attention on America's cyber challenges. But it is vital to recognize the principal position of the private sector in ensuring cybersecurity. The Administration should be careful not to view the private sector as simply another partnership: It is a major player in the cyber domain whose efforts must be supported.
Jena Baker McNeill is Policy Analyst for Homeland Security in the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Kathryn and Shelby Cullom Davis Institute for International Studies, at The Heritage Foundation.