By Representative Dan Lungren
The Internet is a vast global communication system, made up of a growing number of networks and digital devices. Its global reach is why the Internet is so valuable to us. It allows the flow of information from hundreds of millions of different endpoints and servers.
While this global reach makes it valuable, it also makes it dangerous. The ability to hide on the Internet is well-known, as is the ability to contact the other side of the world from your local keyboard or mobile device.
While the federal government must take a role in managing the risk posed by this global communications web, the real question is what is the government's proper role? The federal government possesses cybersecurity threat information and technical capabilities that private enterprises simply do not have. Should it provide cybersecurity for the private sector, or should the government require that the private sector secure its own networks to a particular standard?
The Internet's global reach also makes it exceedingly difficult for any one body or organization to manage and ensure the integrity and viability of the Internet and all devices that connect to it without massive resources and sweeping authorities, including the required standardization of security practices.
Such standardization could restrict and slow the innovation that has sparked the global technology industry and could limit the flexibility -- and thereby the value -- a network provides to its owner. In the long run, standardization could actually make networks more vulnerable, especially to instances of state-sponsored hacking. At a time when we're still struggling from the economic slowdown, new standards and regulations would be poorly received.
As such, the federal government should not endeavor to provide or manage security for the nation's networks. Instead, the government should enable strong security by sharing information on threats and risks and facilitating the exchange of best practices and security techniques. Government should provide private-sector entities the information that is necessary to protect themselves. It should create an environment in which firms are encouraged to take more than minimal security steps and are rewarded for doing so. Government needs to facilitate a setting where good guys can share information and best practices as quickly and efficiently as the bad guys currently do. As a nation we are hindering advanced cybersecurity by inhibiting the sharing of timely and actionable information. Government is as much to blame by over-classifying cybersecurity threat information as the private sector is for refraining from reporting cyber-incidents for fear of damage to their reputation or price per share.
While cybersecurity is truly a "team sport," there needs to be clear roles and responsibilities for all of the team's players. Often we hear the question, "Who's in charge of cyber?" and so far the Obama administration has not come up with a satisfactory answer. The administration has created the office of the cybersecurity coordinator that reports to both the National Security Council as well as the National Economic Council, yet the question of who is in charge has not been satisfactorily answered. Ultimately, the president is in charge, but allowing the different departments and agencies to pursue their own agendas and budgetary priorities undercuts a coherent national cybersecurity policy.
Congress needs to create an environment in which companies and individuals are incentivized to use appropriate and effective cybersecurity measures. There are a number of ways to build this environment -- some probably more effective than others, but one thing is certain: Legislation must not contain technological mandates.
Technology moves so much faster than Congress legislates that any attempt to include a technological standard in legislation would be foolish. Mandating particular technologies would leave us to fend off increasingly innovative threats with outdated technology. The private sector shouldn't be disadvantaged when we are asking them to protect themselves and their property from ever more sophisticated threats.
While technological mandates are counterproductive, the development of performance standards along with best practices could assist the private sector -- and the government -- in better securing their systems. A standard of care must be developed so that both providers of security and consumers can discuss the issue on the same level. Common practices and terminology should be used and performance standards should be employed so the public can evaluate security implementation to determine what level of risk they are willing to accept for their various Internet transactions. By providing information to security consumers, the marketplace will differentiate and provide the needed incentives for improving that security.
The bottom line is the threat to the integrity of our information is real and the consequences are grave. Government should enable and facilitate the private sector to protect itself by providing needed information, guidance and best practices. Our country has the imagination and the expertise to better protect itself, we in government need to facilitate, not dictate, better cybersecurity.