• Heritage Action
  • More
WebMemo #3478 on Homeland Security

January 31, 2012

Congressional Cyber Initiative Shows Promise


The Senate will move early next month to consider a comprehensive cybersecurity bill. The House, likewise, is pledged to consider legislation this year. The Administration has proposed a bill itself, and the political forces seem to be moving toward some form of legislative response to the growing problem of intrusion on the Internet.

As is often the case, however, with any bill that has the word comprehensive in its description, conservatives should be cautious in their approach and limited in their expectations. One hopes that as Congress moves forward, the ideas embodied in H.R. 3523—a work product of the House Permanent Select Committee on Intelligence and its two chairmen, Mike Rogers (R–MI) and Dutch Ruppersberger (D–MD)—will be given serious consideration.

More Freedom and More Security

The view that congressional experts can give us the “right” answer is always seductive but often wrong. The risks of error are even greater in a domain, like cyber, where innovations are rapid and technology ever-changing. The conceit that Congress can today set a fixed policy that will guide the nation’s cyber response for the next five to 10 years is ambitious—perhaps too much so.

Thus it is good to see at least one entrant in the field of competing cyber bills that has a more limited approach, one that advances incremental change without making the mistake of presuming to know all the answers.

H.R. 3523 starts from the premise that the private sector already does much to secure its networks and that the major gaps are in law and policy, not technology. Thus, the bill contends that private-sector actors need clearer authority, not more regulation, to detect threats and share information.

This approach rightly recognizes that there are substantial ambiguities in the law—enough to make cautious actors refrain from sharing cyber threat information within the private sector. Likewise, the Intelligence Community could assist the private sector by providing classified threat intelligence to enable self-defense of their networks (a model of sharing that has already been validated by the Defense Industrial Base [DIB] pilot project, recently transitioned from the Pentagon to the Department of Homeland Security).

Under the Rogers–Ruppersberger approach, ambiguities in the law would be eliminated. Private-sector entities would be given clear legal authority to defend their own networks and share cyber threat information with others in the private sector as well as with the federal government. The sharing would be purely voluntary but legal. This threat and vulnerability information shared with the government would be exempt from disclosure under the Freedom of Information Act and treated as proprietary information. In addition, the government would be prohibited from using the information in regulatory proceedings, and the private-sector actors would be protected against liability for sharing any information.

Other provisions of the bill would expand on the DIB pilot and allow the government to share classified cyber threat intelligence more readily with the private sector and suitably cleared individuals.

Public–Private Cooperation

In short, these concepts are based on a cooperative public–private sector arrangement, where government cyber threat information is leveraged to enable the private sector to be aggressive in its own cyber defense. Instead of a command-and-control model that mandates certain actions and contemplates an expanded regulatory state, greater sharing within the private sector and between the government and private-sector actors is a modest first step that would, in a bipartisan way, attempt to harness the creativity and innovation of the American private sector.

Paul Rosenzweig is a Visiting Fellow in the Center for Legal and Judicial Studies and the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Kathryn and Shelby Cullom Davis Institute for International Studies, at The Heritage Foundation.

Heritage's daily Morning Bell e-mail keeps you updated on the ongoing policy battles in Washington and around the country.

The subscription is free and delivers you the latest conservative policy perspectives on the news each weekday--straight from Heritage experts.

The Morning Bell is your daily wake-up call offering a fresh, conservative analysis of the news.

More than 450,000 Americans rely on Heritage's Morning Bell to stay up to date on the policy battles that affect them.

Rush Limbaugh says "The Heritage Foundation's Morning Bell is just terrific!"

Rep. Peter Roskam (R-IL) says it's "a great way to start the day for any conservative who wants to get America back on track."

Sign up to start your free subscription today!