Ryan Radia, 202-331-2281
Vice President for Policy
Competitive Enterprise Institute
Washington, D.C., June 4, 2010 – Senators Joe Lieberman (I-Conn.) and Susan Collins (R-ME) have drafted cybersecurity legislation that would "give the federal government the power to take over civilian networks’ security, if there’s an ‘imminent cyber threat,’" according to Wired.
Vulnerabilities in the government’s information security policies and the need to “bring government into the 21st century” have long been noted. But given the constant temptation by politicians in both parties to expand government authority over private sector cybersecurity practices, poor decisions made at this juncture could undermine information security and threaten individual liberties.
It’s beyond doubt that infrastructure security problems exist. Yet the tendency of cybersecurity today to be seen as an increasingly government-spearheaded function is exactly the wrong approach. We need better digital equivalents of barbed wire and door locks, which private companies are constantly competing to improve.
Policy makers would be wise to remember that government already has far too much coercive power to exert control over private infrastructure and network industries. The federal government is the single greatest violator of privacy in the United States. It was only four years ago that the National Security Agency was found to be illegally wiretapping the telephone conversations of hundreds of millions of Americans. Other invasive proposals floating around in Congress today include a biometric national identification regime and a law requiring identification cards for prepaid cell phone purchasers. To further empower the federal government to impose dictates on the private networks that transport sensitive personal data would be to ignore the important privacy lessons from the post-9/11 era.
Instead of granting new power to the federal government to control private networks, any cybersecurity legislation should restrict its focus to securing government networks, keeping government agencies on the cutting edge of communications technology, and limiting the power of government to compel providers to disclose private data. To be sure, if the nation does suffer a serious cyberattack, a swift response will be crucial. Government may well have an important role to play in identifying and punishing wrongdoers. But the ultimate responsibility and authority to defend private networks from cyberattackers properly rests with network owners, not government.