The Senate Commerce Committee wants to hand control of the Internet over to the Obama White House. Increased government intervention isn’t the answer to the nation’s cybersecurity problem.
A copy of revised legislation obtained by The Washington Times shows that committee Chairman John D. Rockefeller IV, West Virginia Democrat, and Sen. Olympia J. Snowe, Maine Republican, have heeded some warnings about their original bill. However, concrete steps aimed at ensuring more efficient cooperation between federal agencies and the private sector in the case of a cyber-attack remain absent.
As originally envisioned, the legislation would have established the Commerce Department as the main agency to deal with key private-sector players. Mr. Rockefeller and Ms. Snowe backed off that plan. However, instead of designating the Department of Homeland Security — which has a strong history with cyber-industries — as the main agency to coordinate the federal response, the new bill gives President Obama the ability to designate whichever agency he sees fit. The Obama White House has demonstrated that its internal politics limit its effectiveness in coordinating federal cyberpolicy from the top.
While the president created a cyberczar to oversee response duties at disparate federal agencies, the position was not given the power needed to ensure effectiveness. Instead of reporting directly to the president, the czar - who has yet to be appointed - is to report to both the National Economic Council and National Security Council, making the position just another cog in the federal leviathan.
Abandoning aspirations to make the Commerce Department the government’s central cybersecurity agency also doesn’t mean that the committee has abandoned expanding the agency’s power. The measure still seeks to implement a new regulatory structure on critical infrastructure systems. While it makes sense for the department’s National Institute of Standards and Technology to establish protocols for computer components, a new one-size-fits-all regulatory approach to dynamic cybersecurity systems ultimately would cause more harm than good.
The measure also would establish a government certification program for cybersecurity personnel. Such a process has the potential to drive up costs and reduce the number of cybertechnicians, the exact opposite of what is intended. Both regulatory efforts would be costly burdens for industry.
Lawmakers were cautious and abandoned language giving the president implicit power to shut down private-sector cyber-infrastructure. This not only was impractical, but it overreached in putting government’s hand deep into the open market. But new language on the subject, like much of the bill, is highly subjective. It gives the president the power to declare a cyber-emergency but goes on to direct him to work with industry in such a situation. How would that work?
The Senate Homeland Security and Governmental Affairs Committee is expected to release its own cyberpolicy bill this fall. We hope it does a better job of addressing the nation’s critical cybersecurity needs instead of simply looking to expand federal power.