The White House and certain Members of Congress are frustrated with their inability to get their way with regard to cybersecurity.
Recently, Congress tried unsuccessfully to pass a comprehensive cybersecurity bill. Proponents of the bill are furious. In response, the President threatened to simply dictate rules through an executive order. The issue has been portrayed as a partisan one by some commentators, but this could not be further from the truth.
There is a real divide over how to address the challenges of cyber threats, but the opposing sides are not lined up by party affiliation; they are divided by differences over the right way to fix the problem. The threats to American critical infrastructure, and to all our “digital lives,” are real.
The Russians are the most sophisticated, the Chinese use overwhelming mass, and the Iranians, while not as technologically capable as the others, make up for it with evil intentions and sheer hard work. Add in criminals, terrorists, and individual “hacktivists” with political agendas, and the cyber threat is real and daunting. Issues like privacy make this more complicated. This is a real problem that should be addressed sensibly and with thorough consideration.
The way some legislators and the President want to solve it will simply not work. They want to dictate government regulations the way their predecessors wrote rules for safety in the auto industry. They are convinced that simply adding government regulations (and regulatory entities) will help.
Regulations are too slow to develop, vet, and promulgate and too static to be effective in the digital world. They simply encourage bad guys to study the compliance-based “rules” and go around these checklists with new attack techniques.
Action is needed, but to just do something that has no positive effect—or even a harmful one—is a waste of time, money, and effort.
Any cybersecurity law should promote info sharing, provide for cyber insurance, improve the cyber supply chain security, establish a cyber right to self-defense and push public cyber hygiene, and foster a better cyber workforce.
The Administration’s efforts to address cybersecurity are an Industrial-Age solution to a cyber-age problem. It should allow the national debate to happen, drop the mandatory regulatory model, and adopt a flexible, 21st-century approach to cyber legislation.