Last night, the Cybersecurity Act of 2012 (CSA) failed to pass the U.S. Senate. The vote is already being portrayed as Republican obstructionism, even though five Democrats voted against the bill and four Republicans voted for it.
Such rhetoric is being used to justify a cybersecurity executive order that mimics the CSA. Instead of using cybersecurity as a political bludgeon for more executive power grabs, Congress should continue to debate the real policy differences that cross party lines.
The CSA failed to the pass the Senate because it uses a regulatory approach to cybersecurity. The House of Representatives did not even consider such a regulatory option. The executive order, however, takes the same regulatory approach that has been rejected in both houses of Congress.
The reason Congress could not agree to cybersecurity regulations is because there are too many questions left unanswered and too many concerns unaddressed. The executive order answers none of these questions and leaves cybersecurity regulations completely up to executive whim. If the executive order is issued, the U.S. would just have to wait and see to figure out the answers to these questions:
- How much would it cost?
- What critical infrastructure would be covered?
- Would the standards be outdated before they even take effect?
- How would it affect innovation?
- Can the government develop good standards?
These and other important questions deserve to answered, but the Administration does not seem interested in finding out the answers. Most likely, it is because the answers don’t look good.
The cost of regulations is unknown, but depending on what regulators come up with, the cost to the private sector could potentially be very high. The scope of such regulations could also be widespread, hitting business from agriculture to banking. Cyber regulations would likely be outdated before they are even finalized. Regulations would likely stifle innovation, not enhance it. And given the ongoing failure of the U.S. government to protect itself from cybersecurity attacks, there isn’t a very good reason to put our faith in government-driven rules.
Instead of issuing an executive order with a flawed cybersecurity approach similar to the twice-defeated CSA, the Administration should focus on more nimble and less costly solutions, such as information sharing. Information sharing provides the government and the private sector with up-to-date warnings against cyber threats and vulnerabilities while costing nearly nothing.
Since both the Senate and House agreed that information sharing is important, sharing, not regulation, should serve as the basis for a meaningful and bipartisan cybersecurity bill during the next Congress.