The Internet is a vast global communication system, made up of a growing number of networks and digital devices. Its global reach is why the Internet is so valuable to us. It allows the flow of information from hundreds of millions of different endpoints and servers.
While this global reach makes it valuable, it also makes it dangerous. The ability to hide on the Internet is well-known, as is the ability to contact the other side of the world from your local keyboard or mobile device.
While the federal government must take a role in managing the risk posed by this global communications web, the real question is what is the government’s proper role? The federal government possesses cybersecurity threat information and technical capabilities that private enterprises simply do not have. Should it provide cybersecurity for the private sector, or should the government require that the private sector secure its own networks to a particular standard?
The Internet’s global reach also makes it exceedingly difficult for any one body or organization to manage and ensure the integrity and viability of the Internet and all devices that connect to it without massive resources and sweeping authorities, including the required standardization of security practices.
Such standardization could restrict and slow the innovation that has sparked the global technology industry and could limit the flexibility — and thereby the value — a network provides to its owner. In the long run, standardization could actually make networks more vulnerable, especially to instances of state-sponsored hacking. At a time when we’re still struggling from the economic slowdown, new standards and regulations would be poorly received.
As such, the federal government should not endeavor to provide or manage security for the nation’s networks. Instead, the government should enable strong security by sharing information on threats and risks and facilitating the exchange of best practices and security techniques. Government should provide private-sector entities the information that is necessary to protect themselves. It should create an environment in which firms are encouraged to take more than minimal security steps and are rewarded for doing so. Government needs to facilitate a setting where good guys can share information and best practices as quickly and efficiently as the bad guys currently do. As a nation we are hindering advanced cybersecurity by inhibiting the sharing of timely and actionable information. Government is as much to blame by over-classifying cybersecurity threat information as the private sector is for refraining from reporting cyber-incidents for fear of damage to their reputation or price per share.
While cybersecurity is truly a “team sport,” there needs to be clear roles and responsibilities for all of the team’s players. Often we hear the question, “Who’s in charge of cyber?” and so far the Obama administration has not come up with a satisfactory answer. The administration has created the office of the cybersecurity coordinator that reports to both the National Security Council as well as the National Economic Council, yet the question of who is in charge has not been satisfactorily answered. Ultimately, the president is in charge, but allowing the different departments and agencies to pursue their own agendas and budgetary priorities undercuts a coherent national cybersecurity policy.
Congress needs to create an environment in which companies and individuals are incentivized to use appropriate and effective cybersecurity measures. There are a number of ways to build this environment — some probably more effective than others, but one thing is certain: Legislation must not contain technological mandates.
Roll Call has launched a new feature, Hill Navigator, to advise congressional staffers and would-be staffers on how to manage workplace issues on Capitol Hill. Please send us your questions anything from office etiquette, to handling awkward moments, to what happens when the work life gets too personal. Submissions will be treated anonymously.