Obama's Cyber Czar Should Obey "Cybersecurity Commandment"

Today, President Obama is scheduled to name a “cybersecurity czar with a broad mandate”, and issue a report outlining the government’s security policies. The “czar” is to manage and coordinate government technology policy.

Such a role could make sense if it were limited to “bringing government into the 21st century.” But given the constant temptation for meddling in technology policy by politicians from both parties, a “czar” can easily become a leader in the drive to regulate someone, somewhere, rather than simply tend to government modernization.

Broad government cybersecurity regulation is premature. Politicians, when they do weigh in, will seek millions to establish numerous research grants for cybersecurity initiatives; set up cybersecurity agencies, programs, and subsidies; and steer students toward cybersecurity research.

Past regulatory proposals have included mandates for firewalls, virus protection, disclosure, and reporting and sought to impose greater liability on software makers. But legislation—like anti-spam laws—would be ineffective, since the bad guys don’t obey the law anyway, and many cyber-attacks originate abroad beyond the reach of U.S. regulation.

Policy makers should avoid collectivizing and centralizing risk management, especially in frontier industries like information technology. Yes, we need government-backed “police forces” to protect private networks and infrastructure, but we also need the “barbed wire” and “door locks” which private companies continuously compete with each other to improve. When government overrules market competition for information/electronic security, it creates barriers to innovative private security solutions. We become less secure, not more.

Some reports indicate that the administration and Congress are seeking government authority over private networks—like power grids and computer networks—in the event of breaches. The very term “cyber” at once means everything and therefore nothing: American telecommunications, the power grid; virtually anything networked to some other computer is fair game to a new czar. The dominant tenor of the cybersecurity debate today is toward greater federal control over private infrastructure.

Washington has a proper role. It entails protecting government’s own networks and setting internal security standards, not regulating private networks. It involves arresting computer criminals and avoiding creating threats to data security in the form of data retention mandates, national ID schemes, proposals to re-regulate encryption, and czars that set terms for all they survey.

Security is an industry, and industries—and abstract concepts like “technology”—do not need czars in Washington. Innovation in information security and privacy protection do not flow from D.C. Rather, a government tech czar would likely grow in “stature” as a target for lobbyists. A federal technology chief could all too easily become an agent for establishing government authority over frontier technologies.

Both suppliers and customers increasingly demand better security from all firms. Improving private incentives for information sharing is at least as important as greater government coordination to ensure security and critical infrastructure protection. That job will entail liberalizing critical infrastructure assets—like telecommunications and electricity networks—and relaxing antitrust constraints so firms can enhance reliability through the kind of “partial mergers” that are anathema to today’s antitrust enforcers.

Private cybersecurity initiatives will gradually move us toward thriving liability and insurance markets for cutting-edge sectors. Heavy-handed cyber-czar gestures and legislation cannot address the lack of authentication and inability to exclude bad actors that is at the root of today’s cybersecurity problems.

Like everything else in the market, security technologies—from biometric identifiers to firewalls to encrypted databases—and cybersecurity services—from consulting to liability insurance to network monitoring—benefit from competition. Corporate information and security officers deal with cybersecurity concerns every day. It’s not clear what government could really fix—but it could break a lot.

The effects of mistakes made in the market—such as from overly aggressive spam filters—are easier both to contain and to correct than bad legislation. Worse, regulation can become so entrenched that genuine liberalization, however warranted as conditions change, simply cannot occur. To reduce the impact of any given attack, policy makers should seek to “privatize” rather than collectivize responsibility.

The need to preserve a dynamic market role can be summed up in a single Cybersecurity Commandment:

Do not take steps in the name of cybersecurity that make it: (1) impossible to liberalize or deregulate critical infrastructure and networks or (2) impossible or undesirable to “self-regulate” in emerging critical networks and technologies.

Government should not undermine future private sector security solutions beyond what we can foresee today. America seems no worse off without a cybersecurity czar. It could be a lot worse off with one.