The Hill: Getting Cybersecurity Right
Originally published in The Hill, March 26th, 2012
Our nation’s computer systems are vulnerable to online attack. This is a growing threat to our economy and our national security. American businesses understand this threat — this is why last year they invested more than $80 billion in the security of their computer networks.
I came to Washington as the CEO of a manufacturing company. I know firsthand that the private sector is choking on a torrent of federal regulations. Job creators face a $1.75 trillion — and growing — regulatory burden. In his first three years, President Obama issued 106 regulations that each had more than a $100 million impact on the private sector, and hundreds more that imposed smaller but still heavy burdens.
These days, businesses are more likely to hire a lawyer than a new employee.
Yet proposals in Congress, advocated by the White House, would give the federal government, namely the Department of Homeland Security (DHS), power to dictate cyber-
regulations to the private sector. Such regulations would create a maze of assessments, audits and standards that must be obeyed by companies deemed by DHS to be “covered critical infrastructure.”
I do not believe this is the right strategy because I have little faith in the ability of the federal government to be the leader on cybersecurity.
First, the federal government’s “cyberhouse” is not in order. According to the Office of Management and Budget, there were 41,776 reported cyberattacks against federal networks in 2010 — a 39 percent increase from 2009. Over the same time frame, the number of incidents on private networks decreased by 1 percent. Even DHS has been the victim of high-profile hackings. Yet businesses are now supposed to trust government regulators to tell them how to do their security better?
These proposals raise some basic questions: What businesses will have to comply with new rules? What will be the total cost of these new regulations? When asked, many companies are uncertain whether DHS will deem them as “covered critical infrastructure” and subject them to regulation. This is exactly the kind of uncertainty that stifles investment and job creation, and prevents our economy from achieving robust growth.
At a recent hearing, I questioned Homeland Security Secretary Janet Napolitano on whether DHS had analyzed the cost of the proposed regulations. She wasn’t even willing to admit they were creating new regulations, much less analyze the costs. To date, DHS has been unable to identify the cost of cyber-regulations advocated by the White House. This isn’t a new trend. Only 0.5 percent of rules have received a cost-benefit analysis under Obama. Nobody really knows the true cost of Obama regulations, cyber or otherwise.
The very idea of placing DHS at the helm on cybersecurity should concern every American. DHS has been cited numerous times for inefficiency and waste. It has proven inept at managing regulatory programs, such as its scandal-plagued chemical security program, the Chemical Facility Anti-Terrorism Standards. It also lacks the experience and expertise already contained in other federal agencies. Why reinvent the wheel? Giving DHS more regulatory authority would only add another layer of bureaucracy and increase the cost of compliance.
The federal bureaucracy simply cannot keep pace with technology. Cyberexperts have said it could take eight to 10 years for DHS to develop cyber-regulations. Ten years is a millennium in technological terms; 10 years ago, there was no iPad, no Wii, and most Americans had never heard of “the cloud.”
New cyber-regulations could even make us less secure. Forcing industry to focus on checklists and audits rather than creating innovative solutions to threats might only provide a false sense of security. The correct strategy will recognize that industry is already the leader on cybersecurity. It is in business’ best interest to keep their networks secure.
For these reasons, I am co-sponsoring the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act. The bill was initiated by senators who agree that increasing the size and scope government is the wrong approach to cybersecurity.
SECURE IT removes legal roadblocks that prevent the private sector and government from sharing cyberthreat information. The bill facilitates cooperative sharing by protecting industry from frivolous lawsuits, and maintaining civil liberties. It also improves the security of government networks by giving prosecutors better tools to stop cybercriminals, and without expanding the nation’s out-of-control debt.
These are commonsense measures that will keep our nation more secure from cyberthreats, without the heavy hand of regulation. Choosing the right approach on cybersecurity is vital. Dramatically increasing Washington’s role in the complex and rapidly changing issue of cybersecurity would be a step in the wrong direction.
Mr. Johnson is a Republican senator from Wisconsin.
###