• The Heritage Network
    • Resize:
    • A
    • A
    • A
  • Donate
  • Cybersecurity Executive Order Touts More Regulation as the Solution

    As if the flood of regulations coming after the election weren’t bad enough, a draft of the newest cybersecurity executive order obtained by Heritage reveals that even more regulations are coming.

    This draft executive order is similar to the failed Cybersecurity Act of 2012 in that it proposes additional regulations as a solution to the U.S.’s cybersecurity woes. A regulatory executive order for cybersecurity is flawed and insufficient, and it ignores the deliberative process of Congress, which has thus far rejected a regulatory approach.

    The executive order starts with several pages that talk about voluntary cybersecurity regulation and having the Department of Homeland Security (DHS) work with other agencies to come up with cybersecurity best practices. This innocent enough beginning is soon superseded in section 7 of the draft.

    In that section, regulators are first charged with determining what pre-existing authority they have that would allow them to regulate cybersecurity. Next, the order instructs DHS to use the list of best practices to create a “prioritized… set of actions” that should be taken to “mitigate or remediate identified cybersecurity risks.” Finally, the executive order says that regulators “are encouraged to propose regulations…based on such set of prioritized actions.”

    This executive order is being hyped as a voluntary effort with public–private partnership and cooperation. However, it is not much of a partnership if the government is just telling the private sector what to do through regulations. Most importantly, regulations are the wrong approach to cybersecurity for several reasons.

    First, regulations are static solutions to a dynamic problem. There is no way that regulations will be able to keep up with the rapidly changing threat, since it takes major regulations from two to three years to be written. In that time, the processing power of computers will double or quintuple. It would be like if a nation built a wall to stop its enemy, but the enemy invented newer, faster tanks that just go around the wall. Regulations will not help the private sector combat newer and more powerful cyber attacks.

    Second, regulations create a false sense of security and an attitude of compliance. The private sector would follow the regulations and do little more. After all, if it follows the regulations, the government has declared that the private sector is doing cybersecurity right. This will give the private sector the wrong incentive. Instead of promoting the adoption of the most appropriate cybersecurity system, regulations merely encourage the private sector to meet the outdated standards.

    Third, regulations hinder innovation. Since companies will try to meet outdated cybersecurity regulations, cybersecurity companies will focus on meeting this demand. However, time spent meeting this demand for older cybersecurity approaches is time not being spent innovating ways to fight newer threats.

    Finally, the costs of regulations are simply unknown. The regulations could tell the private sector to buy costly but antiquated cybersecurity systems. There is no way to know until the regulations are written.

    A better solution to cybersecurity would involve effective information sharing, as it can keep up with the daily changes in cybersecurity threats. The executive order, however, admits that it “cannot establish” the correct incentives to enable information sharing.

    Instead of continuing with this flawed regulatory approach, President Obama should let Congress continue its deliberations and develop a constructive cybersecurity policy.

    White House Draft Executive Order (Publicly Circulating Copy – 11-1-12)y

    Posted in Security [slideshow_deploy]

    2 Responses to Cybersecurity Executive Order Touts More Regulation as the Solution

    1. KJinAZ says:

      Romney can wipe out ANY Executive order. We do need to make this one a priority. Are you listening out there in Romney Land?

    2. Denver Dave says:

      This article is wrong on so many levels.

      Regulations don't stifle innovation. The Internet is one of the most regulated things in the world. It has thousands of RFCs, thousands of Internet Drafts, thousands of minor regs like the PKCS series. These regulations set a bar for entry, but at the same time guarantees a minimum level of service and interoperability.

      Security can be regulated, even in a changing environment. There are best practices which have been known since the Morris worm in the late 1980s. Firewalls, intrusion detection systems, password policies, key strength, key sharing rules, etc. It's easy to set a minimum acceptable criteria that will block the vast majority of attacks. The reason why security is such a fluid field is because people don't implement these policies. In systems where the policies have been in place a long time, like Unix and Linux, they still apply. This article's assertions are like saying "people get sick from a variety of different things, so it doesn't make sense to tell you to wash your hands." There will always be a new attack, but we have to start with preventing the Internet version of the flu.

      Third, maybe they're right that the cost of implementation is not known. The cost of not implementing is also not know. But, we know the cost of not implementing is many times greater than the cost of implementing. That's good enough.

    Comments are subject to approval and moderation. We remind everyone that The Heritage Foundation promotes a civil society where ideas and debate flourish. Please be respectful of each other and the subjects of any criticism. While we may not always agree on policy, we should all agree that being appropriately informed is everyone's intention visiting this site. Profanity, lewdness, personal attacks, and other forms of incivility will not be tolerated. Please keep your thoughts brief and avoid ALL CAPS. While we respect your first amendment rights, we are obligated to our readers to maintain these standards. Thanks for joining the conversation.

    Big Government Is NOT the Answer

    Your tax dollars are being spent on programs that we really don't need.

    I Agree I Disagree ×

    Get Heritage In Your Inbox — FREE!

    Heritage Foundation e-mails keep you updated on the ongoing policy battles in Washington and around the country.

    ×