Senate Majority Leader Harry Reid seems to think anyone who disagrees with him is motivated solely by Tea Party ideologies. He has said so concerning cybersecurity. This hubris and an apparently burning desire to pass something in this area threatens to overwhelm good judgment. Mr. Reid and his congressional colleagues’ desire to address the very real cyber threats is laudable, but their sincerity aside, their proposed Cyber Security Act of 2012 is the wrong solution for this problem. The split is not between Democrats and Republicans; it is between competing views of the way to better security.
Ann Beauchesne of the U.S. Chamber of Commerce has written an excellent article addressing the wrong-headed approach to cyber being pushed on the Hill and potentially forced through an executive order.
The main reason these efforts are wrong is that they are based on a regulatory model. This sort of solution is a 19th-century answer for a 21st-century problem. Regulations mandating info sharing will not help, as it will lead to a lowest common denominator compliance culture, which will only fall farther behind, not add security.
A bill that at least has a chance of adding to the nation’s security must have several elements:
- Enable voluntary info sharing. This means indemnifying those who share info, allowing them to remain anonymous, and exempting the info shared from FOIA requests;
- Develop real cyber insurance business enabled by a non-government standard-setting organization. If your security is deemed good, you pay less in premiums;
- Regularize and improve supply chain security, again by forming a non-governmental organization, which is able to “grade” companies (similar to Underwriters Limited). This way, customers can decide if they want to pay more to get additional supply chain security;
- Establish the rules for a cyber right of self-defense; and
- Launch a true full-court press for awareness, education and training.
Several of these areas will not be easy to accomplish, but the effort is worth it. Action is needed, but it must be action that improves security, not just makes the legislators feel good.