Obama’s pending cybersecurity overhaul should heed the “Cybersecurity Commandment”…

Not many details have appeared, but the Atlantic reports on a speech given by the administration’s Melissa Hathaway in McLean, VA:

In her speech, Hathaway did not say much about the administration’s policy changes, although published reporters indicate that Obama plans to create a powerful national cybersecurity directorate that would work through the Department of Homeland Security, establish a national cybersecurity recovery plan and resolve longstanding conflicts between agencies.

I remain suspicious of collectivizing and centralizing risk in governmental bodies, and of creating the impression that governments can protect private networks and infrastructure. We do need police forces (gov’t) but we also need the barbed wire and doorlooks that private enterprise provides in a competitive environment. When government assumes too much authority over the latter, we become less secure, not more. And some reports have indicated that both the administration and Congress are seeking complete government authority over private networks like power grids and computer network in the event of breaches. The privacy concerns are a separate matter that we address elsewhere, but in a CEI report called Preventing Identity Theft and Data Security Breaches: The Problem with Regulation, we put it like this:

Policymakers should recognize that data security requires not one-size-fits-all solutions, but the tailored answers that private actors can deliver. Every firm’s upstream suppliers and downstream customers increasingly demand better security. Like any other technology, security technologies, from biometric identifi ers to firewalls to encrypted databases, benefit from competition. Likewise, cybersecurity services, from consulting to insurance to network monitoring, benefit from competition. To reduce the impact of any given attack, policy makers should adhere to policies that, to the extent possible, “privatize” rather than collectivize.

The need to preserve a dynamic market role can be summed up in a single Cybersecurity Commandment:

Do not take steps in the name of security that make it:
(1) impossible to liberalize or deregulate infrastructure and networks or
(2) impossible or undesirable to self-regulate.

Government should not assert authority in ways that would make private sector assumption of security responsibility impossible in the future as technology advances or conditions change. And policy makers should be extremely careful not to create disincentives to self-regulation. If government ignores either aspect of the Cybersecurity Commandment, it will lead to both subpar information security and economic inefficiencies. Interference could also roll back important advances that have been made in the privatization of infrastructure and services over the past decades.