Senate Majority Leader Harry Reid (D–NV) recently promised to bring cybersecurity legislation back to the Senate floor during the lame-duck session of Congress. He also praised President Obama’s draft of a cybersecurity executive order while blaming “Republicans engaging in Tea Party-motivated obstruction” for the Senate’s failure to pass the Cybersecurity Act of 2012.
With all due respect, this is just not true. Senator Reid should know that within the Senate and policy community, there are substantial differences over how best to improve cybersecurity. One camp, which Senator Reid belongs to, believes that government-set standards and regulations will make the private sector improve its security. They argue that any defense, however flawed or costly, is better than nothing.
A second camp believes that regulations are essentially worthless and even harmful to cybersecurity, because they can’t keep up with the constantly evolving cyber realm. This camp points out that this standards-based system will likely be led by the Department of Homeland Security, an agency that is not known for its ability to prudently oversee regulations.
These regulations would also harm innovation. Standards would set forth ways to combat the last generation of cyber threats, as they would lag behind advances in technology. The private sector would buy cybersecurity products that focus on these outdated threats. As a result, companies that develop cybersecurity software and practices would focus on providing products that meet this outdated cybersecurity standard, since that is what most companies will be buying.
Additionally, standards and regulations are likely to result in compliance rather than real security. Many companies would see the government standard and do the minimum needed to meet that checklist. This kind of mindset ignores newer, more effective ways of dealing with cybersecurity threats.
These are not political talking points, as Senator Reid claims. In fact, six Democrats voted against the Cybersecurity Act of 2012, while only five Republicans voted for it. Senators and Representatives from both parties have legitimate policy differences. As a result of these serious differences, no bill with a standards-based approach was able to pass either house of Congress. That is why President Obama is unwisely considering an executive order for these standards.
Cybersecurity threats are real, and Congress should continue to work on cybersecurity legislation—but not by starting with a flawed and rejected approach. Both the Senate and House agree that voluntary information sharing is important and that such a policy could be the basis for meaningful, bipartisan cybersecurity legislation. Information sharing carries few costs, is entirely voluntary, and provides the private sector and government with more and better information to combat cybersecurity threats.
Instead of deriding those with a different perspective, Senator Reid would do well to consider a non-regulatory approach to cybersecurity.