Lame Duck Threat: Cyber Security
Lame Duck Threat: About this series
With the election behind us, Congress will convene a lame-duck session. This series will highlight major issues facing Congress that may be decided by defeated and retiring.
The Issue: Two months ago, President Obama signed an executive order designed to jumpstart congressional action on cyber security legislation. The legislation being considered by Congress would institute a massive regulatory regime for the internet, under the guise of protecting Americans from cyber attacks from foreign nations. Of course, the federal government does not have a good track record of properly regulating industries without causing harm. They are ill-equipped to develop effective cyber security regulations, and would instead create a cumbersome regulatory process that would pose an undue burden to the industry. It falls into the “more harm than good” category.
Why Lame Duck: Senate Majority Leader Harry Reid (D-NV) attempted to bring the bill up earlier this year, but Republicans blocked his effort when he refused to allow amendments to the underlying bill. Reid has indicated he will try to bring this bill, or perhaps the so-called Whitehouse-Kyl compromise, up again during the lame-duck session.
Conservative Position: Lawmakers could focus on improving information sharing, increasing public awareness and education and increasing already established public-private partnerships. However, lawmakers must bear in mind that most conservative of all principles: First, do no harm.
- As with most Heritage’s Paul Rosenzweig explains, “The government’s track record on cyber security does not inspire confidence that it can devise effective cyber security regulations for the private sector.” Indeed, he identified more than 60 breaches of the government’s own systems in the past eight years. The federal government is hardly the gold standard of cyber security.
- The rapid pace of cyber innovation and the painfully slow pace of federal action are fundamentally incompatible. Rosenzweig says even “voluntary standards would stifle innovation and likely be obsolete by the time they are written. Over the multi-year process when standards are being written and adopted, innovation and investment in cybersecurity products will cease…”
- That does not mean there is no role for the federal government; but that role should be limited and smart, focused on enabling, not mandating. Heritage’s Steve Bucci puts forth the basic structure of any cyber security legislation: “promote info sharing, provide for cyber insurance, improve the cyber supply chain, establish a cyber right to self-defense, and push public cyber know-how.”