When Senate Majority Leader Harry Reid introduced a cybersecurity bill designed, essentially, to implement the White House's framework for protecting the nation's critical infrastructure, John McCain was quick to throw himself in front of the train, saying the bill would "stymie job creation" by imposing new costs on private industry. He told a meeting of the Homeland Security Committee:
If the legislation before us today were enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses, which own roughly 90% of critical cyber infrastructure.
Meanwhile, the private sector enterprises potentially affected by the bill long ago set up a chorus of lamentation -- via the US Chamber of Commerce -- about burdensome regulations. Unsurprisingly, the companies which own key parts of the critical infrastructure would prefer incentives to new rules.
Yesterday, we were able to see what McCain's alternative looks like. The "Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act" resolves into a neat acronym -- SECURE IT -- but otherwise is little more than an attempt to preserve the profoundly insecure status quo.
Introduced by McCain and seven fellow Senators, the bill seeks to improve cybersecurity without regulating existing systems. It's an application, in other words, of the principle that "more government is seldom a solution to any problem," as co-sponsor Saxy Chambliss put it.
Maybe the McCain proposal represents an alternative, and even streamlined route to the same goals? Let's take a look. The Cybersecurity Act of 2012 -- Harry Reid's preferred measure, which enjoys bipartisan support -- would make the Department of Homeland Security responsible for designating the elements of the infrastructure which need to meet a defined set of security standards.
The private sector would determine how best to meet the standards, but compliance would be verified, either by a third-party or through self-certification. Hardly draconian.
The SECURE IT Act takes the DHS out of the picture completely, and doesn't replace it with any other regulatory body. Rather, it emphasizes "partnership" and voluntary information sharing between the private sector and government. It does require federal contractors providing cybersecurity services to government to report threats to such services, conferring legal protections in return.
It does increase penalties for some cybercrimes, but proudly imposes no new regulations on industry.
There really are people who are prepared to say that cybersecurity can be left in private hands. Tom Ridge, former head of the DHS, is one of them. He told the Homeland Security Committee:
The private sector routinely thwarts cyber attacks against its networks because it is fast and nimble in its response and recovery efforts. A new regulatory regime would box in our critical infrastructures, hampering the freedom, agility, and innovation needed to deflect or defeat adversaries who are often quite amply resourced.
It's not that Ridge is crazy. It's just that he's now employed by the US Chamber of Commerce.
Of course the private sector thwarts cyberattacks. Doubtless it thwarts them every day and every hour. But it's equally evident that cybercrime is often spectacularly successful. Bringing down the Sony PlayStation network for weeks on end is one thing. Crashing the power grid for half that time would be a disaster. The NSA believes hackers could do it.
But let's trust industry not to let it happen.
— Kim Davis , Community Editor, Internet Evolution