Washington, it seems, can’t get no satisfaction.
After years of often-alarmist rhetoric about the threat of deadly cyber-attacks – and repeated calls for government to ‘do something’ to address the threat – President Obama has finally issued a comprehensive executive order on cyber-security.
Yet the reaction from politicians of both parties is that we still need new legislation.
We don’t.
The order takes a balanced approach that Congress should allow to work before it decides it needs to “strengthen” it.
Obama’s order establishes a process for the government to share unclassified cyber-threat information with industry. It also expands a program that allows for the sharing of classified information with participating critical infrastructure operators. House Republicans favor such an information-sharing approach because it eschews regulation.
It makes sense for the government to share relevant intelligence with private-sector companies, and then allow them to protect themselves as they see fit.
After all, they are the targets of the cyber-attacks.
They have the greatest incentive to protect themselves – as well as the best knowledge about their own systems – and they should therefore have the flexibility to secure themselves not according to a government rule book, but by whatever means they deem most effective.
Given that the executive order provides for information-sharing, why do Republicans think they still need to pass the Cybersecurity Intelligence Sharing and Protection Act (CISPA), reintroduced in the House the day after the President issued his order? What does CISPA add?
The answer is that it gives businesses immunity from suit and criminal prosecution based on any information shared with the government. But we don’t need such blanket immunity to make information-sharing work.
Businesses are not prohibited from sharing information with the government, except by privacy statutes and by any contractual promises they may have made to their customers and users.
Privacy laws exist for good reason, however, and if Congress feels those laws are getting in the way of security, it should amend them as needed – not give the private sector a free pass for any violations that happen in the name of cyber-security.
Businesses should also be expected to keep their promises to users. If they want to share information they previously promised they would keep private, companies should renegotiate their contracts or update their privacy policies.
Still, there are critics who believe that the private sector doesn’t know what it’s doing, and that information sharing is not enough. Not to worry; the executive order has them covered, too.
The order directs the National Institute of Standards and Technology (NIST) to work with critical infrastructure operators to develop cyber-security best practices, and it directs the Department of Homeland Security to establish a voluntary program to encourage operators to adopt those standards. It also orders federal agencies to review their existing cyber-security rules to see if they are on par with the NIST-developed framework, and to update them if needed. As a result, we will likely see new sector-specific regulations to beef up the cyber-security of critical infrastructure.
Nevertheless, some Democrats – including the President – favor new legislation that would mandate cyber-security standards. But there is no need. First, Congress should allow the NIST- and DHS-led effort to play out. Why resort to a top-down and unnecessarily divisive approach before seeing how a cooperative effort works?
Second, critical infrastructure operators will always have to abide by the new regulations that sector-specific regulators, such as the Nuclear Regulatory Commission, will surely promulgate. And those sector-specific rules will be better- suited to the covered industries than the type of one-size-fits-all law Congress would likely enact.
Finally, to the extent sector-specific regulators find that they don’t have the authority to deal with critical infrastructure operators that refuse to protect themselves, Congress can always come back and give them that power, safe in the knowledge it hasn’t overreached.
Now that President Obama has acted on cyber-security, Congress doesn’t need to.
Yet guided by their worst impulses – to extend protections to business, or to exert bureaucratic control – members of Congress will insist that it is imperative they get in on the action.
If they do, they will undoubtedly be saddling us with a host of unintended consequences that we will come to regret later.
Jerry Brito is a senior research fellow at the Mercatus Center at George Mason University, and director of its Technology Policy Program.