Legislating cybersecurity: Sometimes, the best thing that can happen is nothing

CSO Publisher Bob Bragdon has been calling on lawmakers to get something done for cybersecurity this year. But to me, the best thing that could happen is nothing. Here's why.

I want to apologize to Steven Titch straightaway, because I'm about to be the parrot repeating his every word. In this case, I'm taking the points he made in a column last week and running with 'em. His message -- that no cybersecurity law is better than a bad one -- is truth times a hundred to me, and it has to be repeated often.

In the Reason Foundation article "No Cybersecurity Act is Better Than a Flawed One," he writes:

U.S. vulnerability to cyberattack should indeed be taken seriously. The objective of the Cybersecurity Act, which likely would be mirrored in any White House order, is not the problem. But solutions that the current government plan proposes are. The security countermeasures spelled out in the Cybersecurity Act relied on top-down government mandates, a blind faith in surveillance and identification technology, and centralized management and control of both the network and information. In short, the U.S. government plan for cybersecurity involves a massive deployment of video, data and software analytic and biometric systems that would collect and collate of data on the everyday lives, transactions and movements of citizens. In the event of an attack, the U.S. government would assume control of the entire Internet infrastructure in the U.S., including a "kill switch" that would, at least in theory, separate the U.S. network from the rest of the world.

The original version of the cybersecurity bill was vague as to how the government would be permitted to use, share or search this data, which concerned most civil liberties groups. Data protection provisions were added during mark-up that address these criticisms but did not allay all concerns.

This has been the problem with legislating cybersecurity all along. Like any bill before Congress, lawmakers load up the document with a bunch of provisions that overreach in some cases and have nothing to do with the main issue at hand in other cases.

CSO Publisher Bob Bragdon has been calling on lawmakers to get something done for cybersecurity this year. (See his column, "The many seasons of our discontent.") But like Titch, I'm happier to see nothing get done if progress translates into a bad law.

Earlier this year, I railed against the proposed Cyber Intelligence Sharing and Protection Act ( CISPA) because I felt is was as bad as The PATRIOT Act and the SOPA-PIPA legislation that sparked so much outrage that it was tabled despite early, overwhelming support in Congress. At the time, I wrote:

Fear is always the spark that ignites the push for insidious laws. The PATRIOT Act comes to mind. So does the thankfully-tabled SOPA -PIPA legislation in that the entertainment industry was frightened by changes in how we get our music and videos and lobbied for censorship legislation instead of working on a better business model.

Now we're scared over cybersecurity. We're not in the state of blind fear we were in after 9-11, but we're scared enough to do something stupid. 

After 9-11, all we saw on the news were reports of another spectacular attack in the works and how terrorists were looking for nuclear, chemical and biological weapons so they could kill millions more. Frightened numb, we allowed Congress to pass the PATRIOT Act -- a law that empowered the government to spy on us like never before.

We didn't care, because we wanted to be safe.

Now all we hear about are the attacks evil hackers are planning: downing the power grid in political protest, siphoning bank accounts dry; Chinese operatives hijacking American defense systems and, worst of all -- terrorists taking down the entire Internet we've all become so dependent upon.

At SOURCE Boston last week, security luminary Dan Geer reminded attendees of something former White House chief of staff and current Chicago Mayor Rahm Emanuel said in the darkest days of the Great Recession in 2009: "Never let a good crisis go to waste." Geer brought up the quote to point out that government will always take a mile when we give it an inch in a crisis atmosphere. In this case. Emanuel wanted to use the economic crisis as the stick by which Congress would pass sweeping laws to reform the healthcare system and change the face of the economy. Though the economy remains sluggish, the atmosphere of imminent doom receded to the point where Congress felt less inclined to give Obama the kind of first hundred days FDR enjoyed at the height of the Great Depression.

--Read the full post: "Need proof that CISPA stinks? Open your history books"

A month after that Geer talk, I was at an ISSA event in L.A. featuring Bruce W. McConnell, senior counselor for cybersecurity at the U.S. Department of Homeland Security.  He spoke of the Obama Administration working with Congress on cybersecurity legislation. He joked about Congress' perceived inability to push through a federal cybersecurity law to supplant all those state data security laws we've been living with in recent years. He admitted that one of the challenges is for the public and private sectors to clarify the role government must play in this dangerous new world. Then he said things that puzzled me further.

One item was a suggestion that government isn't out to invade citizens' privacy and how, after all, wiretapping is illegal. Then he noted the challenges of the U.S. reaching a better consensus with Europe on how best to proceed.

"Europe is very concerned about data privacy," he said. "Europe wants more power for individuals to control their own privacy."

He said that like it's a bad thing.

--Read the full post: "DHS cybersecurity official leaves more questions than answers"

That's the thing about the most recently proposed legislation that I despise: It approaches our right to privacy as if it were a bad thing, an obstacle in the way of progress.

That's why Titch's words ring so true to me. Congress getting nothing done was a blessing. I agree with Bragdon that we need some form of legislation. Someday, we may see it happen.

But if it's something like CISPA, I'll be back here pleading with Congress to do nothing.


Copyright © 2012 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022