Last Friday, Heritage’s Steve Bucci wrote a piece on the defeat of the cybersecurity legislation in the Senate and called for President Obama to respect the will of the people’s duly elected representatives. However, President Obama seems to have missed that blog, since over the weekend, White House press secretary Jay Carney sent an e-mail indicating that the President is indeed considering an executive order:
In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed.… Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today’s cyber threats and we will do that.
While we agree that reforms and improvements in cybersecurity are needed, it is important that we prudently consider the intended and unintended effects of any piece of legislation. The legislative process ensures the debate of ideas and allows alternative ideas. The executive order, on the other hand, eschews such open debate and instead imposes the President’s will with its weaknesses unmitigated by the legislative back-and-forth.
The resulting executive order may or may not be legally questionable; it would depend on its content and scope and the statutory authority under which it is supposedly authorized. Regardless, new cybersecurity regulations created as the result of legislation or an executive order are a poor policy choice because they cannot keep up with the dynamic cyber realm. By the time cybersecurity regulations are written, the power of computers will have doubled or even quadrupled, rendering the regulations obsolete.
Regulations will also stifle cybersecurity innovation. As the regulations will be several computer generations behind, they will be limited to fighting the threats we saw years ago, meaning new cybersecurity innovations might not fit the regulations. Few cybersecurity investors and innovators will work to develop new approaches to cybersecurity if the regulations do not consider these new approaches valid. As for updating these regulations, anyone who knows Washington bureaucracies knows that updates will not be timely, to say the least.
Congress and the Administration need to do cybersecurity right in terms of both content and procedure or not do it at all. The downsides are too large to ignore.