Published by The Lawfare Institute
in Cooperation With
- Regulation is only necessary if you think that cyber vulnerabilities of CI are an existential threat. We would not be thinking of a new regulatory scheme just to deal with cyber crime. The entire premise of the pro-regulation argument is that large swathes of our CI are vulnerable to, say, Chinese attack. But that’s not an accurate assessment of the actual risk – either right now or any time in the near to mid-term.
- Regulation is also not the only way that governments deal with externalities. We sometimes deal with them through other means like subsidies, taxes, and the imposition of liability. And sometimes, if the costs of fixing the externality are greater than the costs imposed by the externality, we just live with it. In general, regulation is one of the less effective methods – it is subject to well-known risks of regulatory capture and information asymmetry that make it a poor choice of methodology for dealing with externalities.
- Regulation is an especially poor choice for use in a dynamic and changing environment where the performance standards we might develop today are almost certainly irrelevant to the architecture of the Internet as it will exist in, say, three years. The mean time to significant regulation in the US is 18-24 months. In that time the speed of processing on the network doubles and the cost of data storage declines by half.
- No Federal agency is suitable to lead this regulatory effort. DHS is not a regulatory agency and their one major regulatory program (the Chemical Facility Anti-Terrorism Standards program – CFATS) is mired in bureaucratic failure. Other civilian agencies (like Commerce or the FTC) with some relationship to cyberspace jurisdiction lack both the breadth of authority and the technical expertise. And the only agencies with adequate cybersecurity know-how are military agencies (NSA and Cyber Command, principally) who are not regulatory agencies at all and who we ought to be reluctant to give a lead role in defining the architecture of an essentially civilian enterprise.
- The entire focus of the proposed regulatory structure is misguided. It recapitulates a Maginot Line type mentality that posits that adequate protection can prevent cyber intrusions. One may read the entirety of Title I of the Lieberman-Collins bill without seeing the word “resiliency” anywhere within its text. The structure of the statute reflects the fact that our lawmakers seem to misconceive what cybersecurity is and ought to be. That category mistake gives me a healthy skepticism that we understand the real root of the problem – a necessary predicate to legislation.
- Plenty of regulations already exist in this sphere and their track record is modest at best. But to the extent that we think regulation is efficacious, we are already doing it. NERC now sets cybersecurity standards for the electric industry, for example, and the CFATS program I mentioned above already has cybersecurity performance standards for the chemical industry. [And, yes, I do realize that this point cuts a little both ways – to the extent we already have regulation, what is the harm in the bill? It may be none, but I suspect that the answer is the dreaded “extra layer of bureaucracy” with DHS approving NERC standards.]
- Finally, the rush to Federal regulation will have significant adverse effects on Internet governance and our international posture. Cyberspace is a borderless domain and an American regulatory system will not mix well with that structure:
- Border effects – what if US performance standards are not consistent, say, with Canadian? Will protection of our unified electric grid suffer?
- Fracturing the Network and the Market – US security standards, if we set them, will almost certainly result in the growth of such standards in other parts of the world. There is every reason, however, to expect that American standards will not become universal. Rather they will be different from European standards or Asian ones. To the extent embedded in system architecture the varying standards threaten the universality of the network. To the extent not, these varying standards will “only” be a regulatory burden borne by companies, stifling innovation and reducing profit margins.
- Internet freedom will suffer. Already, China argues that its regulation of the internal Chinese cyber domain is “just like” our use of NIST to set standards. We may comfortably laugh that off now, but we will have a much harder time making the public case for internet freedom of public expression if our own security standards run at all in the direction of, say, identification requirements (as they likely will).