On June 16, House Intelligence Committee Chairman Mike Rogers (R–MI) and committee member Mike Pompeo (R–KS) sent a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler warning against regulatory cybersecurity measures.
The lawmakers were responding to a speech Wheeler gave at the American Enterprise Institute on June 12 in which he called for a “new regulatory paradigm” to promote cyber readiness between government and the private sector. Wheeler acknowledged that “we cannot hope to keep up if we adopt a prescriptive regulatory approach,” but he left the door open for “other options” if private industry practices were deemed unsuccessful.
Rogers and Pompeo responded with apprehension:
While your most recent speech to the American Enterprise Institute appears to indicate that you will rely on industry and the market first, our concerns remain…. Even well-meaning regulation cannot keep pace with evolving cybersecurity threats.
Rogers and Pompeo posed five questions to Chairman Wheeler, wanting to know how the FCC would determine “success” in industry cyber readiness and asking for further explanation of the “other options” that Wheeler referenced in his speech. They also asked Chairman Wheeler to explain the FCC’s statutory authority to impose cybersecurity regulations.
According to a U.S. Government Accountability Office report, government cyber regulations encourage a “culture…focusing on compliance with cybersecurity requirements, rather than a culture focused on achieving comprehensive and effective cybersecurity.” Rogers and Pompeo agree: “Increased regulation is unlikely to alleviate cyber threats or enhance providers’ ability to respond to them in real time.”
Rogers and Pompeo’s concerns echo those of Heritage’s James Gattuso in his 2012 Issue Brief addressing cyber regulations:
The more that firms are required to follow government-mandated plans and priorities, the less flexibility and innovation they can bring to solving the unique security problems they each face…. By mandating cybersecurity measures, the U.S. may end up hobbling its strongest weapons in the war against cyber threats.
Instead, Congress should enact measures to encourage voluntary information sharing in the private sector. Congress ought to remove outdated barriers to information sharing that may cause businesses to withhold data crucial to preventing attacks on others. Furthermore, Congress should extend substantial liability protection to firms that share relevant cyber attack details with their peers. Lastly, Congress should protect this information from Freedom of Information Act (FOIA) requests and regulatory use.
There are other non-regulatory steps Congress should take to protect U.S. interests in cyberspace as well. For example, Congress should promote the voluntary adoption of a supply-chain security system developed by the private sector that would analyze and “grade” tech companies’ supply-chain security to protect U.S. systems from compromised hardware. In addition, the U.S. should encourage cyber awareness and education among the general public, while also taking steps in education and visa policy to develop a robust cyber workforce.
Stakeholders must feel confident in their ability to innovate and collaborate responsibly in the name of collective cybersecurity. Innovation is our best weapon against cyber threats. To use it, we must empower and protect our innovators.
Drew Tucker is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.