This story just hit the Drudge Report’s front page. Declan McCullagh at CNET writes today about the latest revision of S.773, a bill that would give the president “emergency control” of the internet in case of a “cybersecurity emergency.” Wayne Crews, CEI Vice President for Policy, released a statement on the naming of the cybersecurity chief and wrote an article on this back in May. See an excerpt below:
Policy makers should avoid collectivizing and centralizing risk management, especially in frontier industries like information technology. Yes, we need government-backed “police forces” to protect private networks and infrastructure, but we also need the “barbed wire” and “door locks” which private companies continuously compete with each other to improve. When government overrules market competition for information/electronic security, it creates barriers to innovative private security solutions. We become less secure, not more.
Some reports indicate that the administration and Congress are seeking government authority over private networks-like power grids and computer networks-in the event of breaches. The very term “cyber” at once means everything and therefore nothing: American telecommunications, the power grid; virtually anything networked to some other computer is fair game to a new czar. The dominant tenor of the cybersecurity debate today is toward greater federal control over private infrastructure.
Washington has a proper role. It entails protecting government’s own networks and setting internal security standards, not regulating private networks. It involves arresting computer criminals and avoiding creating threats to data security in the form of data retention mandates, national ID schemes, proposals to re-regulate encryption, and czars that set terms for all they survey.
Security is an industry, and industries-and abstract concepts like “technology”-do not need czars in Washington. Innovation in information security and privacy protection do not flow from D.C. Rather, a government tech czar would likely grow in “stature” as a target for lobbyists. A federal technology chief could all too easily become an agent for establishing government authority over frontier technologies.
Both suppliers and customers increasingly demand better security from all firms. Improving private incentives for information sharing is at least as important as greater government coordination to ensure security and critical infrastructure protection. That job will entail liberalizing critical infrastructure assets-like telecommunications and electricity networks-and relaxing antitrust constraints so firms can enhance reliability through the kind of “partial mergers” that are anathema to today’s antitrust enforcers.
Private cybersecurity initiatives will gradually move us toward thriving liability and insurance markets for cutting-edge sectors. Heavy-handed cyber-czar gestures and legislation cannot address the lack of authentication and inability to exclude bad actors that is at the root of today’s cybersecurity problems.
Like everything else in the market, security technologies-from biometric identifiers to firewalls to encrypted databases-and cybersecurity services-from consulting to liability insurance to network monitoring-benefit from competition. Corporate information and security officers deal with cybersecurity concerns every day. It’s not clear what government could really fix-but it could break a lot.
See the statement release here.