Stop playing politics with cybersecurity
Senators on both sides of the aisle have been quick to emphasize how important cybersecurity is to the nation’s security and its increasingly online economy.
“All of us recognize the importance of cybersecurity in the digital world,” Sen. John McCain (R-Ariz.) said during a recent hearing of the Homeland Security and Governmental Affairs Committee.
Supporters of the Cybersecurity Act of 2012 introduced by committee Chairman Joseph Lieberman (I-Conn.) all agreed that it is high time to get our cyber house in order before serious damage is done. “Time is not on our side,” Lieberman said.
Bipartisan cyber bill now the center of partisan turf war
But when it comes to going beyond lip service, cooperation falls apart. A group of seven high-ranking Republican senators, miffed at their committees being bypassed by Lieberman and alarmed at the specter of federal regulation, are opposing the bill. McCain said the senators were forced to this position.
“Because of provisions like these and the threat of a hurried process, myself, and senators Hutchison, Chambliss, Murkowski, Grassley and others are left with no choice but to introduce an alternative cybersecurity bill in the coming days,” he said.
But they do have a choice. They could choose to cooperate in the legislative process and help to craft a bill that can move through the Senate. The problem is that they object to any sort of federal regulation, preferring instead to leave private-sector owners of critical infrastructure to decide for themselves how, and whether, to secure their networks and systems.
This is the line of the U.S. Chamber of Commerce, expressed during the hearing by former Homeland Security Secretary Tom Ridge.
“Businesses strive to stay a step ahead of cyber criminals and protect potentially sensitive consumer and business information by employing sound risk-management principles,” Ridge said. “Industry has been taking robust and proactive steps for many years to protect and make their information networks more resilient.”
But, as Stewart Baker, partner at Steptoe & Johnson and a visiting fellow at Stanford University’s Hoover Institution, told the committee, this argument makes no sense. “They’re the guys who got us into this fix.” If the system owners and operators were doing an adequate job of protecting themselves, we wouldn’t be arguing about cybersecurity today.
McCain complained that the Lieberman bill would create a “regulatory leviathan,” and that the “bureaucrats” at the Homeland Security Department would become “super regulators,” stifling innovation and killing jobs.
There is no reason to believe this. The bill gives very little regulatory authority to DHS, which would designate critical infrastructure and would establish minimal risk-based requirements for security. Existing regulatory relationships would not be changed and owners of covered infrastructure would be allowed to self-certify that they meet minimum requirements. Hardly a job-killer.
Regulation is not bad. Bad regulation is bad, good regulation is good, and some regulation of our critical infrastructure is needed to ensure they are adequately secured.
Absent of regulation, the private sector is concerned solely with making a profit. That is their job. Public welfare and personal wellbeing are not their business. But profit and loss are not adequate measures for protecting the nation’s critical infrastructure. The public welfare is the government’s job, and it is not too much to expect that there be minimum requirements for security that system owners would have to abide by, like it or not.
The Cybersecurity Act of 2012 probably isn’t perfect. But rather than digging in your heels against every type of standard or regulation that is proposed, the proper response would be to participate in the legislative process and create a more perfect bill.