Ahead of today’s cybersecurity hearing in the Senate, I wanted to jot down some thoughts on the issue. For over a year now, I’ve been questioning the need for federal intervention in cybersecurity and calling for a slower and more deliberate process. Perhaps I come across as a refusenik, but I hope that I’m at least lending some balance to the debate.
First, let me say that I fully recognize that the U.S. faces serious cyber threats. Here is one of the best (and most honest) cases for being worried that I’ve seen. I get it.
That said, what I try to point out is that the existence of a threat does not necessarily mean that regulation is necessary. In many cases, the threat can be internalized by affected private actors. Even if we determine that some private actors are not internalizing the costs, prescriptive regulation can sometimes do more harm than good. The best thing we can do is not try to prevent harm at all costs, but instead make sure that we are resilient so that no single threat can destroy us. And we may be more anti-fragile—more resilient and more capable of adaptation—than we’re led to believe.
That brings me to the other thing I try to point out: that the rhetoric surrounding cybersecurity is often unnecessarily alarmist. Introducing the Cybersecurity Act of 2012, Sen. Rockefeller equated the cyber threat with the nuclear threat. I’m sorry, but I don’t think that’s right. It does scare people, however, and I’m afraid that we will be sold an expensive bill of goods based on fear.
So I’m happy to see that both the Senate and the House have begun to take more realistic approaches to cybersecurity. For example, the Rockefeller-Snowe bill from last congress would have required the Department of Commerce to develop “a national licensing, certification, and periodic recertification program for cybersecurity professionals,” and would have made certification mandatory for anyone engaged in cybersecurity. I’m happy to see that’s gone in the new bill. I’m glad that there is no “Internet kill switch.” I’m also happy to see that the bill includes a way for private industry to appeal its inclusion in the regulatory regime.
Where do I think there may be a role for government? Information sharing certainly comes to mind. There is no doubt that there’s a lot that the public and private sectors can learn from each other. And to the extent that private actors are prevented by privacy laws to cooperate on cybersecurity, there should be a way to facilitate cooperation without endangering consumer protections. Additionally, requiring disclosure of security breaches is not a bad idea. It would allow insurance markets and other markets serve as an alternative to regulation, or as Cass Sunstein calls it, regulation through transparency.