Statement by Wayne Crews
Vice President for Policy
Washington, D.C., May 28, 2009—Tomorrow, President Obama is slated to name a “cybersecurity czar with a broad mandate” and issue a report outlining potential vulnerabilities in the government’s information security policies. The “czar” would be charged with managing government technology policy on matters ranging from cybersecurity to privacy—in effect, securing government networks and seeking to keep government agencies on the cutting edge of communications technology.
Such a role could be legitimate if its scope were limited to “bringing government into the 21st century.” But given the constant temptation by politicians in both parties to meddle with technology policy, the position of cybersecurity “czar” could easily morph into a central figure in the drive to regulate private networks, rather than simply focus on government modernization.
Cybersecurity Regulation Premature
Government regulation to address private sector cybersecurity practices is premature. Politicians, when they do weigh in, are likely to seek massive sums to establish research grants for politically favored cybersecurity initiatives, set up redundant cybersecurity agencies, programs, and subsidies, and steer cybersecurity research in the academic world away from its natural course.
Past regulatory proposals affecting information security have included mandates on data breach disclosure, virus protection, and vulnerability reporting. As has happened with anti-spam laws, legislation aimed at making information more secure tends to accomplish exactly the opposite. Hackers and crackers—the “bad guys” of the information age—don’t obey the law in the first place, and many cyber-attacks originate abroad beyond the reach of U.S. regulation.
Policy makers should be suspicious of proposals to collectivize and centralize cybersecurity risk management, especially in frontier industries like information technology. While government law enforcement agencies have a necessary role to play in investigating and punishing intrusions on private networks and infrastructure, government must coexist with, rather than crowd out, private sector security technologies. These are the digital equivalents of barbed wire and door locks, which private companies are constantly competing to improve. When government asserts authority over security technologies, it hinders the evolution of more robust information security practices and creates barriers—both mundane and catastrophic—to non-political solutions. The result is that we become less secure, not more secure.
Indeed, recent reports suggest that both the administration and Congress are seeking to expand government authority over “critical” private networks such as power grids and computer networks in the event of breaches. The term “cyber” means everything and, therefore, nothing: the U.S. telecommunications backbone, the power grid, and virtually anything networked to some other computer would likely be fair game for a new czar to regulate. The unmistakable tenor of the cybersecurity discussion today is toward greater federal control over private infrastructure.
Washington’s Proper Cybersecurity Role
Washington‘s role should be reserved to protecting the government’s own networks and setting internal security standards, rather than regulating private networks. Government should focus on arresting actual computer criminals instead of crafting policies that threaten data security, such as data retention legislation, national identification schemes, proposals to re-regulate encryption, and monolithic “czars” with broad reign to set policy across the board.
Neither industries nor broad concepts like “cybersecurity” merit Washington “czars.” Innovation in information security and privacy protection is not a function of bureaucrats and regulators in D.C. Security is an industry unto itself. A government tech czar would invariably grow into an irresistible temptation for lobbyists and could all too easily become an agent for establishing government authority over our most vulnerable frontier technologies and sciences.
Enhancing Private Sector Cybersecurity Practices
Both suppliers and customers in the high-tech sector increasingly demand better security from all players. Improving private incentives for information sharing is at least as important as greater government coordination to ensure security and critical infrastructure protection. That job will entail liberalizing critical infrastructure assets—like telecommunications and electricity networks—and relaxing antitrust constraints so firms can coordinate information security strategies and enhance reliability of critical infrastructure through the kind of “partial mergers” that are anathema to today’s antitrust enforcers.
Private cybersecurity initiatives will gradually move us toward thriving liability and insurance markets. Heavy-handed cyber-czar gestures and legislation cannot address the lack of authentication and inability to exclude bad actors that is at the root of today’s cybersecurity problems.
Like everything else in the market, security technologies—from biometric identifiers to firewalls to encrypted databases—and cybersecurity services—from consulting to liability insurance to network monitoring—benefit from competition. Important cybersecurity concerns surround information sharing, anonymity, and questions of insurance and liability—all issues that corporate information and security officers deal with every day. It’s not clear what government could really fix—but it could break a lot.
Mistakes made in the market—like overly aggressive spam filters and blacklists—are easier both to contain in their effects and to correct than is bad legislation. Moreover, regulation can become so entrenched that genuine liberalization, however warranted as conditions change, simply cannot occur. To reduce the impact of any given attack, policy makers should seek to “privatize,” rather than collectivize, responsibility for securing private networks of all stripes.
The need to preserve a dynamic market role can be summed up in a single Cybersecurity Commandment:
Do not take steps in the name of cybersecurity that make it: (1) impossible to liberalize or deregulate critical infrastructure and networks or (2) impossible or undesirable to “self-regulate” in emerging critical networks and technologies.
Government should not assert authority in ways that would make impossible future private sector security solutions as technology advances and market conditions change. The future will deliver authentication technologies far more capable than those of today. If government ignores either aspect of the Cybersecurity Commandment, it will lead to subpar information security and to economic inefficiencies—such as inadequate infrastructure investment. Such intervention could also roll back important advances that have been made in the privatization of infrastructure and services over the past decades.
America seems no worse off without a cybersecurity czar, and could be a lot worse off with one. The “broad mandate” for the czar should be avoided. At the very least, hearings are in order—but it would be best for the “czar” idea to simply fade away.
See the following reports for further information:
CEI is a non-profit, non-partisan public policy group dedicated to the principles of free enterprise and limited government. For more information about CEI, please visit our website at www.cei.org.