Don’t Turn Cybersecurity into a Bureaucracy; Enhance Private Sector Practices

Washington, D.C., February 3, 2010—Today the House of Representatives is considering HR 4061, the Cybersecurity Enhancement Act. A solid Cybersecurity Enhancement Act might read “Title I: Stop losing federal laptops.” That’s too flip, but consider that there are cybersecurity risks to cybersecurity legislation.

Vulnerabilities in the government’s information security policies and the need to “bring government into the 21st century” have long been noted.  But given the constant temptation by politicians in both parties to meddle with cybersecurity policy by steering research and development in unnatural directions, any poor decisions made at this juncture could undermine both public and private information security.

Politicians, especially in frontier industries like information technology, often take the easy path of seeking massive sums to establish taxpayer funded research grants for politically favored cybersecurity initiatives, set up redundant cybersecurity agencies, programs, and subsidies. This is precisely what the Cybersecurity Enhancement Act will do, potentially steering cybersecurity research away from its natural, safer, course. 

Vastly expanding federal grants, fleets of scholarships and government-induced Ph.Ds in computer security is not the same as actually bolstering security, nor is there any reason the private sector cannot fund the training of its own such personnel or provide application-specific training as needed. Moreover, many serious security problems are not matters of new training but simply of embracing security “best practices” that already exist.

The Cybersecurity Enhancement Act amounts to pork, and the private sector can and should fund the training of America’s security experts. Online security is an immensely valuable industry today, and there is no shortage of private research incentive and potential profit.

Taxpayer-funded scholarships have already been extended to universities in countless respects, and incentives already abound for students to pursue technology careers. These new programs can easily grow beyond the proposed, already-generous bounds.

It’s beyond doubt that online security problems exist. Yet the tendency of cybersecurity today to be seen as an increasingly government-spearheaded function is worrisome. The taxpayer-funding approach can benefit some sectors and companies at the expense of competition and of computer security itself.  Federal spending and intervention may encourage market distortion by skewing private investment decisions, or promoting one set of technologies or class of providers at the expense of others.

We need better digital equivalents of barbed wire and door locks, which private companies are constantly competing to improve. While government law enforcement agencies have a necessary role to play in investigating and punishing intrusions on private networks and infrastructure, government must coexist with, rather than crowd out, private sector security technologies. Otherwise we become less secure, not more. 

A substantial government role invariably grows into an irresistible magnet for lobbyists and the creation of bloated “research centers” and could all too easily become the locus for establishing sub-optimal government authority over our most vulnerable frontier technologies and sciences. 

Both suppliers and customers in the high-tech sector increasingly demand better security from all players. Improving private incentives for information sharing is at least as important as greater government coordination and investment to ensure security and critical infrastructure protection. That job will entail liberalizing critical infrastructure assets—like telecommunications and electricity networks—and relaxing antitrust constraints so firms can coordinate information security strategies and enhance reliability of critical infrastructure through the kind of “partial mergers” that are anathema to today’s antitrust enforcers. 

The future will deliver authentication technologies far more capable than those of today. Like everything else in the market, security technologies—from biometric identifiers to firewalls to network monitoring to encrypted databases—benefit from competition. Private cybersecurity initiatives will also gradually move us toward thriving liability and insurance markets, to help address the lack of authentication and inability to exclude bad actors that are at the root of today’s vulnerabilities. Security is an industry unto itself, let’s not turn it into bureaucracy.