It’s no secret that cybersecurity is a big issue today, especially with certain private networks containing the personal information of millions of Americans being at a very high risk of attack. Never fear, though, because the U.S. Senate is on the case. Last month, a group of mostly Democrat Senators introduced the Cybersecurity Act of 2012. In response, seven GOP Senators, led by Senator McCain, introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act this past week. Clearly the first bill wins in the name category, unless you happen to be a fan of the trend of giving bills complex names just for their cutesy acronyms. The real question is, which bill is better for increasing cybersecurity without imposing too much on the organizations running these private networks?1
The Cybersecurity Act would create a new regulatory scheme under the Department of Homeland Security that requires certain critical infrastructure networks to work with regulators to develop and abide by extra security measures. The regulations would apply to any network “whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life.” Since its drafters were opposed to the increased government intervention of this measure, the SECURE IT Act instead promotes more sharing of information about threats between the government and private network owners and increases to criminal penalties for certain cybercrimes.
Trade groups seem to prefer the SECURE IT Act, since it doesn’t create more regulations for them to follow. That was predictably the biggest criticism of the Cybersecurity Act. The owners of these networks already have incentives to keep them up and secure, and increasing information sharing regarding threats is absolutely necessary. It also places more emphasis on punishing the people doing the hacking in the first place, but the huge problem with cybersecurity on the punishment is how difficult it is to catch the perpetrators in the first place. The penalty could be life in prison, but it’s worthless if you don’t have a person to try.
There is also some benefit to requiring certain networks to meet extra requirements. The networks running our financial system, fire departments, police departments, utilities, and even certain retailers are high risk, but as the Cybersecurity Act implies, they are essential to daily life. Too big to fail, if you will. Allowing the government to ensure their security can be seen as part of national defense.
The answer may be to incentivize information sharing, with the threat of increased regulation if critical infrastructure networks have substandard security as tested by an accepted industry standard. This sort of compromise may be what eventually passes, if anything can get past the gridlock gripping Washington this election year. We’ll have to wait and see.
1) I assume here that we do want to avoid extreme impositions on the private networks, whether because giving the government that control gives us the heebie-jeebies or because we’re worried they will just take the networks down.