Washington, D.C., June 24, 2010 – This afternoon, the U.S. Senate Homeland Security Committee begins markup of the Lieberman-Collins-Carper cybersecurity bill, which contains controversial provisions to allow the president to assume control of critical private network assets in event of a "cyber-emergency." Tomorrow, the White House will reportedly unveil its security and privacy strategy, called the National Strategy for Trusted Identities in Cyberspace, which will address firms’ use of personal information, liability standards, and regulatory approaches to digital privacy.
Policymakers should reject such proposals to centralize cybersecurity risk management.
The Internet that will evolve if government can resort to a “kill switch” will be vastly different from, and inferior to, the safer one that will emerge otherwise. The unmistakable tenor of the cybersecurity discussion today is that of government steering while the market rows. To be sure, law enforcement has a crucial role in punishing intrusions on private networks and infrastructure. But government must coexist with, rather than crowd out, private sector security technologies.
Security is a competitive feature, one best advanced by non-political solutions. Firms face unrelenting competitive pressures from upstream and downstream business partners and the capital markets to advance security. Cybersecurity technologies—from biometric identifiers to firewalls to encrypted databases—and cybersecurity services—from consulting to liability insurance to network monitoring—thrive on competition.
Washington should recognize that tomorrow’s information society will not resemble today’s, especially as biometric authentication and holographic computing emerge. Government brings little to the table on these high-tech frontiers, besides and appetite for regulation. Ill-conceived public policy could do grave damage.
Emphasize securing government networks: Government is a lead offender in network vulnerabilities, and its own disdain for the sanctity of personal information is appalling. Washington should focus on protecting the government’s own networks and setting security standards for its own agencies and arresting actual computer criminals.
Don’t define what security is: The White House's “authentication strategy” is overly presumptive in that it fails to acknowledge the legitimacy of anonymity strategies. In a free society, individuals should be able to present different faces to the world in different contexts. Inadequate authentication technologies and the inability to exclude bad actors are at the core of of today’s cybersecurity problems.
Stop interfering with the ability to make cybersecurity guarantees: Too often, firms want to make ironclad privacy guarantees but cannot do so on account of government. Policymakers should reform outdated privacy laws that provide insufficient protections against governmental access to sensitive data. In the same vein, they should avoid coercive data retention mandates, national identification schemes and warrantless Internet surveillance.
Deregulate critical infrastructure networks such as telecommunications and electricity: Businesses in the high-tech sector increasingly demand better service and security. Properly fulfilling these demands will necessitate total liberalization of critical infrastructure assets like telecom and electricity networks, including the relaxation of antitrust constraints that prevent firms, intra-industry, from coordinating information security strategies and enhancing reliability of overlapping critical infrastructure.
Reject privacy regulation: While government thwarts firms' ability to make privacy guarantees, it regulates information collection and use in destructive and short-sighted ways. The House Energy & Commerce Committee, for instance, is now considering draft legislation that would govern how private companies can use data.
Reject compulsory net neutrality: Compulsory net neutrality is incompatible with cybersecurity and should be explicitly ruled out by an act of Congress. Congress should hold hearings on the abysmal, primitive understanding that the administration and agencies seem to have of network property rights and the creation of secure infrastructure wealth and content.
- Cybersecurity and Authentication: The Marketplace Role in Rethinking Anonymity–Before Regulators Intervene ,
CEI is a non-profit, non-partisan public interest group focused on overregulation.