Politico: Facilitator is needed for cybersecurity

Originally printed in Politico, July 31st, 2012

There is widespread agreement across America that cybersecurity is an urgent national priority and the federal government needs to play a major role. The threat of a cyberattack is real, and its consequences could prove devastating to our economic and national security. Effective action cannot come too soon.

Any solution to cybersecurity must allow the private sector, which owns 85 percent of our nation’s critical infrastructure, the freedom to use all tools at its disposal to protect against cyber intrusions. Business owners understand the need to protect themselves in the cyber domain and are devoting considerable resources to do so. Industry is right to expect that any Senate legislation will complement their current efforts.

As much as possible, Washington should facilitate — rather than dictate — cybersecurity.

When the Cybersecurity Act was brought to the floor last week, without either a hearing or a markup, industry understandably mobilized to express alarm. The bill’s proposed framework creates a government-based solution that hampers the private sector’s agility and ingenuity to meet this rapidly evolving threat.

The list of those opposed is telling. It includes the Chamber of Commerce, the American Petroleum Institute, the Internet Security Alliance, the Business Roundtable, IBM, the National Rural Electric Cooperative Association and the National Association of Manufacturers.

They are raising legitimate concerns that the “voluntary” framework offered to industry is overly burdensome and prescriptive. It could quickly turn into a mandatory regulatory scheme. Increased bureaucracy and uncertain liability protections would actually slow the sharing of threat information between business and government. Resources better spent on innovation and deterrence would be diverted to satisfy government notions of compliance.

Meanwhile, the number of cyberattacks on federal networks rose 39 percent in 2010, according to the Office of Management and Budget, while the number of incidents on private networks went down.

In 2011, incidents on federal networks went up again — this time by 5 percent. At the same time, only 18 percent of federal agencies’ nearly $76 billion information technology budget was spent on security. Of that amount, 76 percent of IT security costs at nondefense agencies were spent feeding a bloated bureaucracy.

The federal bureaucracy simply cannot compete with the private sector’s expertise and dexterity in identifying and implementing effective solutions. Before dictating standards to businesses, the government should certify that it meets the same levels of IT security and efficiency that it intends to impose on the private sector.

There is a legitimate role for government in protecting the Internet. But we must work with — not against — business to identify a solution.

Unfortunately, the message to industry this week is: We’ve run out of time and we’re passing a bill. If it’s flawed, don’t worry; we’ll fix it in conference.

That is a risk we cannot take. The impact that this legislation will have on the economy and the private sector is still unknown. The Congressional Budget Office has not had an opportunity to analyze its cost — which is an expected step under standard procedure.

Any analysis would undoubtedly be complicated by one provision that allows up to six months after enactment for the Office of Management and Budget to tell Congress what resources and staff would be needed for specific responsibilities. Meanwhile, our national debt nears $16 trillion, real unemployment is almost 11 percent and there is a $1.75 trillion annual regulatory burden on the economy.

Affected parties have legitimate concerns about the effects this legislation will have if it becomes law. These should have been addressed before the floor debate. Congress can and should solve the problem this year.

But in doing so, we must not lose sight of our obligation to deliver to the American people the best product for both our economy and our national security.

Sen. Saxby Chambliss (R-Ga.) is the vice chairman of the Senate Select Committee on Intelligence. Sen. Ron Johnson (R-Wis.) serves on the Budget and the Homeland Security and Governmental Affairs committees.