Congress is busy debating whether and how the federal government should regulate the cybersecurity practices in the private sector.
Some members and federal agency officials worry a disruption in privately held critical infrastructure could quickly become a public health or safety issue.
One expert wonders if any cybersecurity legislation is even needed.
“For me the question isn’t which bills in which House should move, but whether Congress can provide any value to the problem of fixing all the problems that comprise cybersecurity,” said Jim Harper, senior policy analyst at the conservative Cato Institute.
Harper spoke to The Federal Drive with Tom Temin and Emily Kopp Wednesday about the pending cybersecurity bills.
“Cybersecurity is thousands of different problems that will be handled by hundreds of thousands of different individuals and organizations and institutions over decades,” Harper said. “It’s unclear if the Congress or the federal government can really help in this area. That’s the first question and it hasn’t been answered yet.”
From his perspective, the private sector has enough incentive to solve its own cybersecurity problems without the help of the government.
“The owners of computers, networks and data have every reason to look after the problems with their own systems and they’ll do so,” Harper said. “They won’t reach perfection, but we don’t have perfection in physical protection in the real world, so we shouldn’t expect it in the cybersecurity area either.”
Is there a real threat?
Harper admitted it was difficult to know how well companies were already doing at protecting themselves because the full extent of the cyber threats out there is unknown.
“We have to look at the proof which is in the pudding,” he said. “Our systems are not failing daily, weekly or monthly. Most of the systems that we rely on for our communications, for our financial services and so on are working. There’s a common practice of backing up data so that anything that is taken down can be put back up relatively quickly.” Reports of cybersecurity vulnerabilities and failures, Harper said, are coming from people within the cybersecurity industry, some of whom may be trying to sell products to the government.
The government’s argument for increasing its regulatory reach extends from a desire to protect the critial infrastructure from cyber attacks.
“Systems like the electircal grid, they start losing money if they are unable to provide electric service,” Harper said. “So they have the incentives they need to provide that service and secure their systems.”
Harper pointed to the 2003 power outage in New York State and the Northeast as an example of the type of intrastructure failure people are worried could occur from a cyber attack.
“That was not a disasterous situation,” he said. “People managed quite well. We’re a resiliant and strong society that can handle these kinds of things.”
The government’s role, according to Harper, should be that of a smart purchaser of cybersecurity technology, helping the marketplace move along.
Information sharing vs. privacy
Another aspect of the proposed cybersecurity legislation concerns information sharing between the private sector and government. This is seen as necessary in order to quickly counter a cyber attack.
“It’s assumed — and probably correctly — that information sharing would solve problems,” Harper said. “But what we need is a natural baseline of information sharing. When it’s appropriate, information should be shared.”
To facilitate the information sharing, some of the legislation supersedes current laws, including the Privacy Act. Harper sees that as a potentially dangerous path to travel, especially from a privacy and security perspective.
“A variety of laws, including private contracts and tort laws, would be gone under the language of these bills,” he said. “The information sharing idea, it’s a good idea. But we don’t need to size down all the laws in the United States for the purposes of sponsoring information sharing.”
Ultimately, what Harper doesn’t want to see is Congress passing a law so that it can simply say it’s solved the cybersecurity problem.
“Time will deliver cybersecurity that’s appropriate,” Harper said. “We don’t need a federal law right now and I don’t think we ever will.”