January 2, 2013

Have You Heard About The Coming Executive Order on Cybersecurity?

By: AF Editors

With Congress unable to pass legislation setting cybersecurity standards, drafts of an Obama cyber security executive order are circulating. This possibility has important implications for the future of American privacy, technology and infrastructure.

According to reporting on drafts currently in circulation, a cybersecurity executive order would likely provide federal agencies with several important new powers. First, the New American has reported that one leaked draft gives government actors such as the Pentagon, the National Security Agency (NSA), the director of national intelligence, and the Justice Department the power to decide whether more regulations related to cybersecurity are necessary.

Second, any executive order is likely to create an incentive program to encourage companies to conform to government-created security standards. Cybersecurity News reports that one incentive may involve “changing the federal procurement process to create preferences for vendors who meet cybersecurity standards.”

Imposing cybersecurity standards through legislation or incentives distorts market forces, creates new opportunities for cronyism and presents the government with more opportunities to gather and store data on private companies and their customers.

Market forces provide incentives for private companies to keep up to date on possible threats to their security and the best ways to combat those threats. Getting hacked hurts a company’s bottom line. There is no way, and little incentive, for government agencies to be as informed on industry-specific threats, or the best ways to go about preventing attacks, as the companies themselves. Therefore it’s unlikely that uniform, government-mandated security standards will be as well-informed and up-to-date as the standards companies make for themselves.

Not only that, but government incentives and laws will likely divert resources away from more efficient and effective private methods of threat detection and attack prevention and toward methods that meet government-created standards for security, thereby possibly actually making companies less safe from cyber attacks.

Not only are government security standards likely to be inferior to private precautions, but in order for companies to participate in incentive structures or comply with legislation, they will need to share data on their security practices with government agencies. This creates obvious privacy concerns.

The influence of special interests on the process is just one more reason for concern. In a Wall Street Journal editorial,  President Obama promised that “Cybersecurity standards would be developed in partnership between government and industry.” White House spokeswoman Caitlin Hayden explained to Politico that “the National Security Staff has held over 30 meetings with industry, think tanks and privacy groups, meeting directly with over 200 companies and trade organizations representing over 6,000 companies that generate over $7 trillion in economic activity and employ more than 15 million people.
There is a very real likelihood that any program of security standards and incentives will be crafted with the desires of those 6,000 existing entrenched companies in mind, and will probably not help foster an innovative system of easy market entry and fierce competition. Whenever legislation is crafted in cooperation with industry, you find cronyism.

So not only will a cybersecurity executive order likely make companies less safe, create privacy concerns and help entrenched companies avoid competition, but it’s a “solution” to a problem that doesn’t actually exist. There have been no notable US cybersecurity attacks thus far, and no real reason to believe that infrastructure-crippling attacks are imminent.

“What do you do when you have a huge array of problems?” Cato Institute’s director of information policy studies Jim Harper said at a recent Cato event: Cybersecurity: Will Federal Regulation Help? “Is it the best thing to do to centralize your attack on those problems? Or should you perhaps instead think about assigning responsibility for solving those problems to the actors that are best positioned to address them?”

Individual companies and industries have and will face individual threats which are best addressed individually, with quick and nimble action on the parts of the people with the most to lose from attacks.

Cathy Reisenwitz is the digital publishing specialist for Reason magazine and blogs at Anarcho-capitalism Blog. She has been published in the AF Free the Future blog and Penelope Trunk’s Brazen Careerist. Image courtesy of Big Stock Photo.