• The Heritage Network
    • Resize:
    • A
    • A
    • A
  • Donate
  • Cybersecurity Legislation Should Be Done Well or Not at All

    Cybersecurity legislation will likely be taken up by the Senate tomorrow. Regrettably, the idea that we just need to do something about cybersecurity seems to be trumping the view that we need to do it right.

    The Cybersecurity Act of 2012 (CSA), authored by Senators Joseph Lieberman (I–CT) and Susan Collins (R–ME), seeks to solve our cybersecurity ills but only threatens to make the situation worse.

    Newly revised, the CSA attempts to use “voluntary” standards to help owners of critical infrastructure protect their facilities. Though there are some improvements over previous iterations of the bill, the bill suffers from many of the same weaknesses as well as new ones.

    The CSA offers incentives, such as classified cyber threat information, to actors that meet these standards. But if this critical infrastructure is truly critical, there is no good reason to withhold valuable information from those who might not check every box the government suggests.

    The CSA also remains flawed because the standards it writes will be obsolete by the time they are enacted. The processing power of computers doubles every 18–24 months, and it takes 24–36 months to write a major regulation or rule.

    Also worrying is the fact that standards under the CSA are likely to chill cybersecurity innovation. It makes no sense for cybersecurity firms to create new programs while the standards are being written, since these new programs might not fit the standards. Once the standards are written, they will discourage the creation of new, innovative solutions that do not match the standards.

    The “voluntary” nature of the CSA’s standards is also questionable. Any voluntary standard is one step away from mandatory, and Senator Lieberman has already indicated that if the standards aren’t voluntarily used, he would push to make them mandatory.

    Even more concerning, Section 103(g) of the CSA gives current regulators the power to make these “voluntary” standards mandatory. If a regulator doesn’t mandate the standards, the regulatory will have to report to Congress why it didn’t do so—strong encouragement to just make the standards mandatory and avoid a congressional inquisition.

    Finally, the sharing and analysis of cybersecurity threat information was weakened by confining cybersecurity information exchanges to civilian organizations. Though in an ideal world the Department of Homeland Security (DHS) would have the capability to lead our cybersecurity efforts, it currently lacks those capabilities and needs to lean on more capable organizations such as the National Security Agency. The recent changes, however, give DHS more responsibility than it is likely able to handle.

    As Congress considers cybersecurity legislation, it should resist the temptation to think that it can fix the cybersecurity problem with enough rules. Cybersecurity will never be perfect, but there are other improvements that can be made that involve lower costs and greater flexibility.

    Posted in Security [slideshow_deploy]

    4 Responses to Cybersecurity Legislation Should Be Done Well or Not at All

    1. KJinAZ says:

      Cyber Security is a HOAX! There is not a way to totally secure ANY computer on the internet. There are many way to break in that were created for the use of Microsoft and the government. The problem is they can be exploited by anyone who knows how. Even if they did not build those back doors into every computer, there are yet other ways to get in. All the current security does is make it more difficult to get in, but it is not real protection. Computers do ONLY what they are instructed to do, so you just have to know how to tell it what you want it to do.

    2. Bobbie says:

      Totally agree with KJinAZ! We're for "not at all!"

    3. Charles says:

      While this Act has defects there is good reason for refined Cyber Security legislation. Just because the best option for a solution to our Cyber Security issues isn't flawless doesn't mean we shouldn't implement it. Would you forgo building a wall around a city if you knew 10% of attackers would still be able to get in? No. Because you would still be able to prevent the other 90% of invaders from entering the city. This same logic applies to Cyber Security, an imperfect wall is better than no wall at all.

    4. Mike says:

      Well would you build that same wall if the rules around building made it so those constructing it where not allowed enough flexibility to create solutions to problems they encounter while working and as a result the wall is of poor craftsmanship [say they have to follow a very specific mortar recipe that works well in the North but in the South there is a lot more rain they didn't account for and because they cant deviate to change it because it is against the law when the wall is done it is now weaker in the south and susceptible to collapse due to the bad mortar]. Right now as a computer professional I can say there are 2 major issues A Most politicians are soo far out of touch with technology how could they ever hope to craft any really meaningful legislation without exhaustive professional help. I mean Gore called the internet a series of inter linked tubes and he is one of the tech gurus we have in Washington. Until I see a good number of professionals either being asked to do true studies, come and at least testify to congress so that they have a minimum record of recommendations to at least look at, or hear of techs being called in to give advice to politicians one-on-one ANYTHING they try to do about the problem will be HIGHLY suspect in my eyes.

      Two, is the nature of politics vs technology, Politicians by their very nature try to exert a special form of control wherein they are trying to derive as much verifiable power they can. That is to say they want people reporting to them about whats going on and they like to retain the right to exert executive control at any time they choose. It is just how they operate, and while doing this they end up designing a lot of "standards" and inspections in attempts to make sure what they want to happen is happening. I am not here to knock government I in fact believe a society needs a government to protect it, and to help ensure social welfare is provided to those who may need it, as a dispute settling force, and finally as a facility of interaction among its citizens [be a central kind of entity where trade agreements, tax levels needed, etc. need to be figured out for the populous as a whole] I am also a realist who sees that you dont get in to government [in most cases] to help your fellow man and you normally don't make it far without someone somewhere making at least some shady deals to get you there [again not saying 100% of politicians there are exceptions to every rule].

      Essentially, what I am driving at with that is usually government is super slow to react to things and especially in the realm of cyber security whether this is a slow to change rigid standard that stops innovation to the need to get things signed off on if say for instance there is an incoming attack on a super critical system what do they do? I hope it is not try to wake 5 people up and get their OKs on actions needing to be taken as by the time they get authorized I am sure the encounter would be over before they even tried to stop it.

      I do think there should be rules, laws, whatever in place to protect people, companies and our countries, but I think it should be framed more in the way the FCC type of thing [not EXACTLY like it but closest thing I can think of] is where there are guidelines, and rules, and an oversight organization for the internet so that people or companies would have a place to go for help, companies would have a place to collectively put together standards like the IEEE folks [where they are kinda binding in that if you want to maximize the network equipment you sell you might want to build to their standard, yet if you choose to go your own way they wont stop you]

      This would help to hopefully give some oversight, protections, and centralize a few things to streamline how everyone interacts with the internet to help get it in to a more unified fashion. Yet this would have to be flexible enough to allow for easy innovation on new or existing things without fear of stifling penalties, and realize that a light touch in this case is WAY better than a clenched fist around it. I think of it like Television censoring between 1950s and now in the 50s they censored EVERYTHING and most shows looked very similar [like 2 people can not sleep in the same bed on TV for instance and that really seemed to stifle a lot of creativity on television shows. Now, they are allowing things like real life TV like Big Brother and while I may not like those type of shows they are allowed to be around due to how much more flexible the government has become about it.

    Comments are subject to approval and moderation. We remind everyone that The Heritage Foundation promotes a civil society where ideas and debate flourish. Please be respectful of each other and the subjects of any criticism. While we may not always agree on policy, we should all agree that being appropriately informed is everyone's intention visiting this site. Profanity, lewdness, personal attacks, and other forms of incivility will not be tolerated. Please keep your thoughts brief and avoid ALL CAPS. While we respect your first amendment rights, we are obligated to our readers to maintain these standards. Thanks for joining the conversation.

    Big Government Is NOT the Answer

    Your tax dollars are being spent on programs that we really don't need.

    I Agree I Disagree ×

    Get Heritage In Your Inbox — FREE!

    Heritage Foundation e-mails keep you updated on the ongoing policy battles in Washington and around the country.