Cybersecurity legislation will likely be taken up by the Senate tomorrow. Regrettably, the idea that we just need to do something about cybersecurity seems to be trumping the view that we need to do it right.
The Cybersecurity Act of 2012 (CSA), authored by Senators Joseph Lieberman (I–CT) and Susan Collins (R–ME), seeks to solve our cybersecurity ills but only threatens to make the situation worse.
Newly revised, the CSA attempts to use “voluntary” standards to help owners of critical infrastructure protect their facilities. Though there are some improvements over previous iterations of the bill, the bill suffers from many of the same weaknesses as well as new ones.
The CSA offers incentives, such as classified cyber threat information, to actors that meet these standards. But if this critical infrastructure is truly critical, there is no good reason to withhold valuable information from those who might not check every box the government suggests.
The CSA also remains flawed because the standards it writes will be obsolete by the time they are enacted. The processing power of computers doubles every 18–24 months, and it takes 24–36 months to write a major regulation or rule.
Also worrying is the fact that standards under the CSA are likely to chill cybersecurity innovation. It makes no sense for cybersecurity firms to create new programs while the standards are being written, since these new programs might not fit the standards. Once the standards are written, they will discourage the creation of new, innovative solutions that do not match the standards.
The “voluntary” nature of the CSA’s standards is also questionable. Any voluntary standard is one step away from mandatory, and Senator Lieberman has already indicated that if the standards aren’t voluntarily used, he would push to make them mandatory.
Even more concerning, Section 103(g) of the CSA gives current regulators the power to make these “voluntary” standards mandatory. If a regulator doesn’t mandate the standards, the regulatory will have to report to Congress why it didn’t do so—strong encouragement to just make the standards mandatory and avoid a congressional inquisition.
Finally, the sharing and analysis of cybersecurity threat information was weakened by confining cybersecurity information exchanges to civilian organizations. Though in an ideal world the Department of Homeland Security (DHS) would have the capability to lead our cybersecurity efforts, it currently lacks those capabilities and needs to lean on more capable organizations such as the National Security Agency. The recent changes, however, give DHS more responsibility than it is likely able to handle.
As Congress considers cybersecurity legislation, it should resist the temptation to think that it can fix the cybersecurity problem with enough rules. Cybersecurity will never be perfect, but there are other improvements that can be made that involve lower costs and greater flexibility.