[Infowarrior] - Cyber-Security: Stand Down, for Now, Congress

[Richard Forno]

http://nation.time.com/2013/02/22/cyber-security-stand-down-for-now-congress/

February 22, 2013

Cyber-Security: Stand Down, for Now, Congress

By Jerry Brito 

Washington, it seems, can¹t get no satisfaction.

After years of often-alarmist rhetoric about the threat of deadly
cyber-attacks ­ and repeated calls for government to Œdo something¹ to
address the threat ­ President Obama has finally issued a comprehensive
executive order on cyber-security.

Yet the reaction from politicians of both parties is that we still need new
legislation.

We don¹t.

The order takes a balanced approach that Congress should allow to work
before it decides it needs to ³strengthen² it.

Obama¹s order establishes a process for the government to share unclassified
cyber-threat information with industry. It also expands a program that
allows for the sharing of classified information with participating critical
infrastructure operators. House Republicans favor such an
information-sharing approach because it eschews regulation.

It makes sense for the government to share relevant intelligence with
private-sector companies, and then allow them to protect themselves as they
see fit.

After all, they are the targets of the cyber-attacks.

They have the greatest incentive to protect themselves ­ as well as the best
knowledge about their own systems ­ and they should therefore have the
flexibility to secure themselves not according to a government rule book,
but by whatever means they deem most effective.

Given that the executive order provides for information-sharing, why do
Republicans think they still need to pass the Cybersecurity Intelligence
Sharing and Protection Act (CISPA), reintroduced in the House the day after
the President issued his order? What does CISPA add?

The answer is that it gives businesses immunity from suit and criminal
prosecution based on any information shared with the government. But we
don¹t need such blanket immunity to make information-sharing work.

Businesses are not prohibited from sharing information with the government,
except by privacy statutes and by any contractual promises they may have
made to their customers and users.

Privacy laws exist for good reason, however, and if Congress feels those
laws are getting in the way of security, it should amend them as needed ­
not give the private sector a free pass for any violations that happen in
the name of cyber-security.

Businesses should also be expected to keep their promises to users. If they
want to share information they previously promised they would keep private,
companies should renegotiate their contracts or update their privacy
policies.

Still, there are critics who believe that the private sector doesn¹t know
what it¹s doing, and that information sharing is not enough. Not to worry;
the executive order has them covered, too.

The order directs the National Institute of Standards and Technology (NIST)
to work with critical infrastructure operators to develop cyber-security
best practices, and it directs the Department of Homeland Security to
establish a voluntary program to encourage operators to adopt those
standards. It also orders federal agencies to review their existing
cyber-security rules to see if they are on par with the NIST-developed
framework, and to update them if needed. As a result, we will likely see new
sector-specific regulations to beef up the cyber-security of critical
infrastructure.

Nevertheless, some Democrats ­ including the President ­ favor new
legislation that would mandate cyber-security standards. But there is no
need. First, Congress should allow the NIST- and DHS-led effort to play out.
Why resort to a top-down and unnecessarily divisive approach before seeing
how a cooperative effort works?

Second, critical infrastructure operators will always have to abide by the
new regulations that sector-specific regulators, such as the Nuclear
Regulatory Commission, will surely promulgate. And those sector-specific
rules will be better- suited to the covered industries than the type of
one-size-fits-all law Congress would likely enact.

Finally, to the extent sector-specific regulators find that they don¹t have
the authority to deal with critical infrastructure operators that refuse to
protect themselves, Congress can always come back and give them that power,
safe in the knowledge it hasn¹t overreached.

Now that President Obama has acted on cyber-security, Congress doesn¹t need
to.

Yet guided by their worst impulses ­ to extend protections to business, or
to exert bureaucratic control ­ members of Congress will insist that it is
imperative they get in on the action.

If they do, they will undoubtedly be saddling us with a host of unintended
consequences that we will come to regret later.

Jerry Brito is a senior research fellow at the Mercatus Center at George
Mason University, and director of its Technology Policy Program.


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.