Here, in one sentence, is what’s wrong with Stewart Baker’s testimony on cybersecurity before the Senate Homeland Security committee today:
If an asset is not designated as “covered critical infrastructure,” then the owner has no obligation under the bill to guard against attack by hackers, criminals, or nation states, leaving those who depend on the asset unprotected.
The logic here is that if a private network is not forced by government to protect itself, then it will be left unprotected and wide open for attack. There is no private incentive to secure one’s investment, the argument seems to be. If you’d like an explanation of why this isn’t logical, see Eli Dourado’s paper on cybersecurity market failure.
One more thing: according to Baker, present network insecurity “could easily cause the United States to lose its next serious military confrontation.” I understand asymmetric threats, but here is a listing of military spending by country. “Easily” doesn’t come to mind.