From Chemical Security to Cyber: Regulation Still Not the Answer
Jessica Zuckerman / David Inserra /
The House Committee on Energy and Commerce will hold a hearing on Thursday on the progress made in the Chemical Facility Anti-Terrorism Standards (CFATS) program over the past six months.
CFATS was once considered a great success in security and government regulations. In late 2011, however, a leaked Department of Homeland Security (DHS) memo brought to light the fact that the CFATS program turned out to be plagued by inefficiencies and inaction.
The negative reaction was swift and boisterous. By September 2012, however, DHS proclaimed that the program had “turned a corner,” promising Congress would see “hundreds of inspections occurring over the course of the next year.” Everything was purportedly back on track.
Now flash forward six months and we will get to find out just how true these claims have been. The true question, however, is how much can be done to fix a program that was flawed from the beginning.
As a Heritage report explained last year:
While a degree of government oversight over chemical security is needed, current standards are exceedingly burdensome and complicated, and overprescribe federal solutions with which the private sector must comply, threatening innovation and economic expansion.
If this sounds familiar, it’s because the Obama Administration and some in Congress believe the U.S. also needs a regulatory approach to cybersecurity. If CFATS is any indicator of how well DHS and other regulators deal with security regulations, however, cybersecurity regulations are bound to hurt security more than they help.
Indeed, the cyber realm is incredibly dynamic, and threats and technology are constantly changing. The threats that CFATS deals with, on the other hand, are not constantly changing, but the government still has a hard time making these regulations work. If the government cannot make CFATS work, how will it ever establish dynamic, well-functioning cybersecurity regulations?
Instead of adding more regulation every time a new threat emerges, Congress should rely on approaches that are dynamic, market-driven, risk-based, and cost-effective. This goes for both the chemical sector and the cyber realm. By rejecting regulation, the U.S. can come up with creative and appropriate solutions that do not hinder growth or real security.