This draft executive order is similar to the failed Cybersecurity Act of 2012 in that it proposes additional regulations as a solution to the U.S.’s cybersecurity woes. A regulatory executive order for cybersecurity is flawed and insufficient, and it ignores the deliberative process of Congress, which has thus far rejected a regulatory approach.
The executive order starts with several pages that talk about voluntary cybersecurity regulation and having the Department of Homeland Security (DHS) work with other agencies to come up with cybersecurity best practices. This innocent enough beginning is soon superseded in section 7 of the draft.
In that section, regulators are first charged with determining what pre-existing authority they have that would allow them to regulate cybersecurity. Next, the order instructs DHS to use the list of best practices to create a “prioritized… set of actions” that should be taken to “mitigate or remediate identified cybersecurity risks.” Finally, the executive order says that regulators “are encouraged to propose regulations…based on such set of prioritized actions.”
This executive order is being hyped as a voluntary effort with public–private partnership and cooperation. However, it is not much of a partnership if the government is just telling the private sector what to do through regulations. Most importantly, regulations are the wrong approach to cybersecurity for several reasons.
First, regulations are static solutions to a dynamic problem. There is no way that regulations will be able to keep up with the rapidly changing threat, since it takes major regulations from two to three years to be written. In that time, the processing power of computers will double or quintuple. It would be like if a nation built a wall to stop its enemy, but the enemy invented newer, faster tanks that just go around the wall. Regulations will not help the private sector combat newer and more powerful cyber attacks.
Second, regulations create a false sense of security and an attitude of compliance. The private sector would follow the regulations and do little more. After all, if it follows the regulations, the government has declared that the private sector is doing cybersecurity right. This will give the private sector the wrong incentive. Instead of promoting the adoption of the most appropriate cybersecurity system, regulations merely encourage the private sector to meet the outdated standards.
Third, regulations hinder innovation. Since companies will try to meet outdated cybersecurity regulations, cybersecurity companies will focus on meeting this demand. However, time spent meeting this demand for older cybersecurity approaches is time not being spent innovating ways to fight newer threats.
Finally, the costs of regulations are simply unknown. The regulations could tell the private sector to buy costly but antiquated cybersecurity systems. There is no way to know until the regulations are written.
A better solution to cybersecurity would involve effective information sharing, as it can keep up with the daily changes in cybersecurity threats. The executive order, however, admits that it “cannot establish” the correct incentives to enable information sharing.
Instead of continuing with this flawed regulatory approach, President Obama should let Congress continue its deliberations and develop a constructive cybersecurity policy.