CYBEREYE

Stop playing politics with cybersecurity

Senators on both sides of the aisle have been quick to emphasize how important cybersecurity is to the nation’s security and its increasingly online economy.

“All of us recognize the importance of cybersecurity in the digital world,” Sen. John McCain (R-Ariz.) said during a recent hearing of the Homeland Security and Governmental Affairs Committee.

Supporters of the Cybersecurity Act of 2012 introduced by committee Chairman Joseph Lieberman (I-Conn.) all agreed that it is high time to get our cyber house in order before serious damage is done. “Time is not on our side,” Lieberman said.


Related coverage:

Bipartisan cyber bill now the center of partisan turf war


But when it comes to going beyond lip service, cooperation falls apart. A group of seven high-ranking Republican senators, miffed at their committees being bypassed by Lieberman and alarmed at the specter of federal regulation, are opposing the bill. McCain said the senators were forced to this position.

“Because of provisions like these and the threat of a hurried process, myself, and senators Hutchison, Chambliss, Murkowski, Grassley and others are left with no choice but to introduce an alternative cybersecurity bill in the coming days,” he said.

But they do have a choice. They could choose to cooperate in the legislative process and help to craft a bill that can move through the Senate. The problem is that they object to any sort of federal regulation, preferring instead to leave private-sector owners of critical infrastructure to decide for themselves how, and whether, to secure their networks and systems.

This is the line of the U.S. Chamber of Commerce, expressed during the hearing by former Homeland Security Secretary Tom Ridge.

“Businesses strive to stay a step ahead of cyber criminals and protect potentially sensitive consumer and business information by employing sound risk-management principles,” Ridge said. “Industry has been taking robust and proactive steps for many years to protect and make their information networks more resilient.”

But, as Stewart Baker, partner at Steptoe & Johnson and a visiting fellow at Stanford University’s Hoover Institution, told the committee, this argument makes no sense. “They’re the guys who got us into this fix.” If the system owners and operators were doing an adequate job of protecting themselves, we wouldn’t be arguing about cybersecurity today.

McCain complained that the Lieberman bill would create a “regulatory leviathan,” and that the “bureaucrats” at the Homeland Security Department would become “super regulators,” stifling innovation and killing jobs.

There is no reason to believe this. The bill gives very little regulatory authority to DHS, which would designate critical infrastructure and would establish minimal risk-based requirements for security. Existing regulatory relationships would not be changed and owners of covered infrastructure would be allowed to self-certify that they meet minimum requirements. Hardly a job-killer.

Regulation is not bad. Bad regulation is bad, good regulation is good, and some regulation of our critical infrastructure is needed to ensure they are adequately secured.

Absent of regulation, the private sector is concerned solely with making a profit. That is their job. Public welfare and personal wellbeing are not their business. But profit and loss are not adequate measures for protecting the nation’s critical infrastructure. The public welfare is the government’s job, and it is not too much to expect that there be minimum requirements for security that system owners would have to abide by, like it or not.

The Cybersecurity Act of 2012 probably isn’t perfect. But rather than digging in your heels against every type of standard or regulation that is proposed, the proper response would be to participate in the legislative process and create a more perfect bill.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Feb 27, 2012

The problem with government regulation in the cyber world is it takes government 100 times longer to "get with the times" and the result is industry will be shackled with outdated regulations that have outlived their usefulness long ago. Industry HAS a motive to protect infrastructure, it is called PROFIT. Not perfect, to be sure, but better than government beauracracy!

Tue, Feb 21, 2012 Cowboy Joe

Nice to see someone who can put a point on the topic. Maybe a bit oversimplified, but for the most part truer'n a gun barrel.

Tue, Feb 21, 2012 WOR

Maybe the problem is that politics has degenerated into a a struggle between Congressional CYA actions and corporate appeasement. I generally agree with your assessment.

Tue, Feb 21, 2012

The problem with this article's premise it that it implies all the private sector companies are created equal. This is ignorant. Many private sector companies are doing great things and making good risk management and cybersecurity decisions. The problem is that some aren't. Any regulation needs to focus on addressing this and being outcome-based. Any time the government is perscriptive about this stuff we get into trouble and punish according to the least common demoninator.

Tue, Feb 21, 2012 Howard Plumley Florida

Who watches the watchers? J. Edgar had to die before the FBI reduced domestic surveillance. DHS is the new guy looking over your shoulder and if FISA and TSA are examples of their respect for the Constitution then no bill is better than one giving them more power. McCain's proposal is not better just protects his 'special interest friends'.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above