Cybersecurity & Tech

Invisible Hands and Iron Fists: Challenges in Regulating the Innovation Economy

Megan Stifel, Jamil N. Jaffer
Thursday, August 17, 2017, 1:49 PM

Have you heard of “Regulators in Cyberia”? No, it’s not the latest thriller on the silver screen. Rather, it’s a white paper recently released by the Federalist Society’s Regulatory Transparency Project that explores the challenges existing regulatory approaches pose to technological innovation.

Published by The Lawfare Institute
in Cooperation With

Have you heard of “Regulators in Cyberia”? No, it’s not the latest thriller on the silver screen. Rather, it’s a white paper recently released by the Federalist Society’s Regulatory Transparency Project that explores the challenges existing regulatory approaches pose to technological innovation.

The paper, whose writers are an ideologically diverse group of participants in the RTP’s Cyber and Privacy Working Group, is the first phase of multi-year project to examine the impact regulations have on the modern American economy. Neither the project nor the paper itself purport to provide a complete solution to important questions about whether and when, if ever, governmental entities should establish regulations or standards, particularly when it comes to rapidly changing sectors. Instead, the paper aims to set out and analyze several questions across multiple topic areas to aid such an assessment. At the same time, the paper’s overall analysis suggests healthy skepticism is warranted when it comes to potential regulation in such environments. Below is a summary of its assessment and findings.

The Internet’s pioneers hardly envisioned the dramatic growth and transformation that characterize today’s Internet. A relative lack of regulation accelerated early digital innovation. The paper then highlights five examples that illustrate the hazards that can result when regulations predating the Internet revolution make first contact with the economic and social opportunities unleashed by interconnected technologies. Among other things, they demonstrate that the impact of Moore’s Law—the doubling of computer processing power every 18-24 months—makes regulation a particularly weak tool to achieve policy objectives, including privacy and security, arguing instead that in a rapidly changing technological environment, these goals can often be most effectively met through the use of market incentives. In recent years, the specter of regulation has threatened the viability of the sharing economy and the broad availability and export of cybersecurity products and could hamper the rapid innovation that currently characterizes the evolution of the so-called “Internet of Things.”

Many of the examples will resonate with Lawfare readers. For instance, readers likely remember the recent uproar over whether (and how) certain cybersecurity products ought to be covered by the Wassenaar Accord’s export control regime. To be sure, the issue was hotly debated in certain circles, but common wisdom among many technologists is that this debate—and the deeply flawed outcomes it engendered—demonstrates the inability of government bureaucrats to effectively address technological innovation. Indeed, the effort to regulate the transfer of these products suffered deeply overbroad definitions, which swept within the proposed modification’s mandate not only tools commonly used in run-of-the-mill penetration testing, but also tools used to identify compromised machines. Equally as concerning, the effort overlooked the crucial fact that the activities of greatest concern—the distribution of crimeware by criminal groups—would rarely (if ever) become the subject of an export licensing request under the Wassenaar regime. Given the broad availability of such tools on the black market, all the licensing controls in the world won’t keep the tools out of the hands of bad actors, authoritarian regimes and criminals alike.

The paper offers several other examples of regulatory incongruity, noting that it is easy to forget today that innovators like Uber, Lyft, Kickstarter, Airbnb—products that enable consumers to directly connect with each other to allocate excess capacity and satisfy demand for services—once faced stiff opposition from entrenched and (sometimes highly) regulated incumbents. In some geographies, this opposition continues. Entrenched local and regional industries engage in rent-seeking behavior to stifle new competition. For example, with Uber and Lyft, existing market players voiced ostensibly safety- or privacy-related concerns and argued to regulate the innovators in a manner similar to the incumbents. Luckily for those who (like the authors of this post) use Uber and Lyft with reckless abandon, consumers were able to band together to successfully oppose such anti-competitive efforts: in response to numerous municipal efforts to apply ill-suited regulations to ride sharing, 41 states adopted a streamlined approach that satisfied public safety concerns while also enabling the economic benefits of the sharing economy to expand.

The paper, which covers a range of other topics, including the implementation of the Americans with Disabilities Act (ADA) to the Internet of Things, is available on the Regulatory Transparency Project’s website here.

The Project is crowdsourcing experiences with regulations: improve this effort by sharing your own experience here.

Megan Stifel is a Nonresident Senior Fellow with the Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security and the Founder of Silicon Harbor Consultants, which provides strategic cybersecurity operations and policy counsel. Prior to founding Silicon Harbor Consultants, she was an attorney in the National Security Division at the U.S. Department of Justice (DOJ). She most recently served on detail as a Director for International Cyber Policy in the National Security Council at the White House. In this role, Ms. Stifel developed and implemented policies in connection with Internet governance, cybersecurity, and cybercrime. Prior to the White House, Ms. Stifel worked at the Computer Crime and Intellectual Property Section (CCIPS). At CCIPS she collaborated with law enforcement agencies to investigate and prosecute computer crime cases, including identity theft, network intrusion, and malware distribution. Ms. Stifel also previously served as the Director for Cyber Policy at NSD, where she coordinated the Division’s policy and legal analysis in connection with the 2009 Cyberspace Policy Review (CSPR) and the 2008 Comprehensive National Cybersecurity Initiative, cyber-related legislative proposals, cybersecurity investigations, cyber operations, and the telecommunications supply chain. She was a member of the interagency group that developed the 2011 International Strategy for Cyberspace and the CSPR. Ms. Stifel earned her B.A. in International Studies and German, magna cum laude, from the University of Notre Dame and her J.D. from Indiana University.
Jamil N. Jaffer currently serves, among other things, as an Adjunct Professor of Law and Director of the Homeland and National Security Law Program at the George Mason University School of Law where he teaches classes on counterterrorism, intelligence, surveillance, cybersecurity, and other national security matters. Jamil is also affiliated with Stanford University’s Center for International Security and Cooperation and most recently served as the Chief Counsel and Senior Advisor for the Senate Foreign Relations Committee. Jamil also previously served as Senior Counsel to the Permanent Select Committee on Intelligence of the U.S. House of Representatives and in the Bush Administration in a variety of capacities, including in the White House as an Associate Counsel to the President and in the Justice Department’s National Security Division as Counsel to the Assistant Attorney General for National Security. Jamil holds degrees from UCLA, the University of Chicago Law School, and the United States Naval War College.

Subscribe to Lawfare