Foreign cyberattacks threaten both our critical infrastructure (think power plants) and our “digital lives” (think online banking). The Russians are very sophisticated. The Chinese use overwhelming numbers of hackers. The Iranians, while not in the same league as the others, are in there cyber-swinging as well. Add in criminals, terrorists and individual political agendas, and the cyberthreat “stew” is thick and potent. It’s a real problem that must be addressed.
Congress recently tried, but failed, to pass a comprehensive cybersecurity bill. Now, President Obama is threatening to impose rules through an executive order. That would be a mistake, for two reasons: first, the executive branch should never just blow off Congress, and second, the president’s advisers are recommending the wrong approach.
Washington’s standard “regulate the problem to death” approach just won’t cut it. We’re not talking about auto-safety issues here. We’re talking about a constantly evolving, constantly changing threat. The government regulatory process is too slow, and the regulations too static, to help in the “million-mile-an-hour” world of “cyber.” The bad guys will simply go around yesterday’s regulatory “solution” with today’s (or tomorrow’s) new attack technique. We need to act, but smartly and with positive effect.
To improve cybersecurity through legislation, it is essential that the proposal promote information sharing, provide for cyberinsurance, improve the cyber supply chain, establish a cyber right to self-defense, and push public cyber know-how.
Better information sharing about cyberattacks is always talked about, but seldom enabled. Companies that have been attacked may have incurred high-cost damages and be reluctant to talk about it for fear of scaring away more business. Rather than demand they share information, rules should encourage them to share. Sharing incentives include affording them protection from lawsuits; letting them remain anonymous (so their stock prices don’t plummet); shielding the data shared with the government from Freedom of Information Act requests; and assuring them that the government will relay actionable information to other companies fast and effectively.
Legislation must also foster development of a true cyberinsurance business. What’s needed is an independent, nongovernmental organization to set truly dynamic and flexible standards for what constitutes best practices in various industry sectors. Then the present insurance industry will have “actuary tables” from which they can sell valid insurance. The better your company’s security, the less you pay in premiums.
Given that the components of computers, tablets, smartphones, and pretty much everything else are made all over the world (including cyberthreat countries such as China), the cyber supply chain needs to be protected. Again, a nongovernmental organization, which can inspect supply-chain practices, operations and security methods, should be established. It can give grades to a tech company’s operation, much like Underwriters Limited (those guys who put the stickers on the back of toasters and TVs) evaluates the safety of other products. Companies that get very high grades can charge more for their products. Buyers who want to economize can take a chance with less expensive — but potentially less secure — items. The customer makes an informed risk-based decision.
Currently, companies do not know what rights they have to protect themselves from hackers. If they are attacked, can they fight back? If lawmakers don’t want cybervigilantes, they should articulate parameters for self-defense that are legitimate and well-known.
Lastly, lawmakers should push awareness, education and training initiatives to combat both the ignorance and the hype about the cyberthreat. Give people the truth of what they need to know about cyberthreats, and give them the tools to play a role in protecting themselves, their homes and their businesses. This should be done early, often, dynamically and continuously.
Rather than short-circuit the democratic process, the White House should give Congress a chance to develop a law that provides the above elements.
• Steven Bucci is senior research fellow for defense and homeland security at the Heritage Foundation.