Preparing the Legal Foundations for U.S. Cyberdefense
By Eric Sterner, on ,
 |
| Un servidor de Internet |
The message was clear: The United States is engaged in a cyber conflict. Alarmingly, however, the U.S. private sector lacks an adequate approach to defending itself against such cyberattacks, in large part because Washington has yet to prepare a firm legal foundation for doing so.
This is not for lack of trying. Members of Congress spent much of 2012 arguing about three different legislative models for cybersecurity. Lieberman led a group promoting a regulatory model, but critics argued that the proposed regulatory process was extraordinarily burdensome and convoluted, and would undermine the speed of decision-making and implementation needed for private firms to fight fast-changing cyber threats.
Attempting to address these concerns, Sen. John McCain led Senate Republicans to introduce a competing bill that they believed addressed areas of existing common agreement, such as strengthening criminal statutes, updating procedures for the U.S. government to improve its own cybersecurity and improving research and development of relevant technologies and capabilities. Neither bill, however, generated sufficient bipartisan support to pass the Senate.
Meanwhile, in the House of Representatives, Rogers and the ranking Democratic member of his committee, Rep. Dutch Ruppersberger, focused on breaking down walls between government, which often has critical information about cyber threats and attacks, and the private sector, which is the first line of defense when it comes to protecting the country from enemies in cyberspace. Critics raised concerns about the bill's impact on privacy, but subsequent adjustments led to its passage on a bipartisan basis. The Rogers-Ruppersberger approach is not as comprehensive as the Lieberman bill, but it would enable significant improvements in the United States’ cyberdefense posture. Unfortunately, that bill is also stalled in the Democratic-controlled Senate.
It is possible that Congress and the administration will end the deadlock after the election, especially if new threats or attacks spur a sense of renewed urgency. Even so, it is unlikely that the most recent version of either the Senate or House bills will be passed in their current form. At best, the chambers may adopt measures addressing areas of minimal agreement on training, research and development, for example, in response to an administration threat to unilaterally adopt a regulatory approach by executive order. In that event, Congress would still begin the new year with a significant amount of cybersecurity work to do.
Fortunately, both pieces of proposed legislation offer a sound foundation on which to build. The Rogers-Ruppersberger bill could immediately improve the country's cyber posture by breaking down walls between the government's intelligence agencies and the private sector’s defenses. Having passed the House once, the bill should be able to muster bipartisan support again, particularly if its sponsors educate the country about the privacy protections built into the bill.
While better information-sharing is critical and urgent, that alone will not be sufficient. The truth is that some companies, even if they are aware of cyber threats, will choose to accept heightened risk as a cost of doing business, while those critical infrastructure enterprises that most concern Lieberman may opt to seek a government bailout after the fact. They may believe that preparing for a cyber Sept. 11 is beyond them and does not justify the significant added expense to their shareholders. After all, securing the United States against attack is a core function of government, and publicly traded corporations have a fiduciary obligation to maximize shareholder value. Regulators from the Securities and Exchange Commission and the threat of class-action shareholder lawsuits might trigger more action by publicly traded companies than prodding from government security officials about an ill-defined cyber threat. In that context, however, a top-down, government-imposed regulatory environment is more likely to result in a focus on paperwork and box-checking whose glacial pace cannot possibly keep up with the threat. So even if the regulatory paperwork is put in place, no one will be the safer for it.
Likewise, Lieberman's use of liability is a first step toward improving the security of the country's critical infrastructure. His bill essentially immunizes corporations and other entities from liability for cooperating with the United States government. But while this may be necessary to remove obstacles to cooperation, the government may want to consider going further, making corporations and their management more liable for failures to take adequate or appropriate cybersecurity measures. There is already a history of explicitly making certain legal persons liable for externalities they create, particularly in areas involving environmental impact. Corporations routinely purchase liability insurance, and the insurance industry helps establish standards to minimize its own exposure to failure, as well as that of the insured. Such an approach may achieve Lieberman’s standard-setting goals more efficiently than a regulatory model.
There are significant differences, of course, between cybersecurity and environmental liability. For one thing, corporations creating adverse environmental externalities are not generally under attack by skilled adversaries. Yet environmental liability offers a precedent for exploring a similar model in cybersecurity and assessing its strengths and weaknesses as an alternative to a regulatory approach. Most importantly, a liability model would leave the private sector greater flexibility to adopt new security measures without burdening the process with a slow and cumbersome federal decision-making process. Congress may choose one of these models, or adopt an alternate approach. Either way, action is needed soon to ready the nation’s defenses for the next wave of cyber threats. There are alternatives to deadlock, and exploring them is urgent.
Eric Sterner is a fellow at the George C. Marshall Institute. He was a senior professional staff member on the House Armed Services and Science Committees and served in the Office of the Secretary of Defense and as NASA's associate deputy administrator of policy and planning.
No hay comentarios:
Publicar un comentario