By David J. Smith
Copyright © 2012 Potomac Institute for Policy Studies
Senator John McCain (R-AZ) and a number of ranking Republican members from several Senate committees recently introduced the Secure IT Act of 2012. This bill is intended as an alternative to the Cybersecurity Act of 2012, introduced by Senator Joe Lieberman (I-CT) on February 14. Before Washington engages in a classic political duel on a vital matter of national security, let us declare a truce. Both bills have good points and both bills are missing some important things.
McCain’s Secure IT bill is strong on privacy and information protection. Not only does it establish criminal penalties for violation of its own terms, it also criminalizes certain malfeasance on the web and sets up stiff penalties. For example, U.S. criminal code would be amended to make it a crime to damage a critical infrastructure computer. Finally, recognizing that cyber security is an enduring challenge, it sets up programs for research, development and education, including scholarships for students of cyber security.
Moreover, the Secure IT bill does not contain a provision for NSA monitoring, which some had feared it would, based on some earlier McCain statements.
To dispatch all the bugaboos, the Lieberman bill does not contain a so-called “Internet kill-switch,” as some have said.
And Lieberman’s Cybersecurity bill takes a step toward solving the real problem—protection of privately owned infrastructure that is critical to the nation’s security. Although the problem will not be easily solved, it can be simply stated: how can the nation ensure that individual private businesses will spend money on cyber security measures that they may not perceive to be in their direct economic interest, although such measures are in the nation’s security interest?
McCain is right to fear government regulations that “would stymie job-creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates.” However, equally harmful would bea voluntary system in which individual businesses shy away from certain cyber security expenditures out of fear that competitors will avoid such expenses, thereby undercutting them. The mandatory provisions of the McCain bill would apply only to “an entity providing electronic communications services, remote computing services or cybersecurity services to” the Federal Government.
Ironically, a degree of government regulation would level the playing field, making full implementation of needed cyber security measures more likely.The Lieberman bill directs the Department of Homeland Security to conduct risk assessments in cooperation with businesses, define which businesses should be affected and design flexible performance requirements that companies can decide themselves how to meet.
Indeed, the trick in all this will be to ensure that the process does not become mired in argument, red tape and inflexible, obsolescent regulations.
To that end, the Lieberman bill would benefit by adopting two features of the McCain bill—itsvery precise procedures for handling private information that the government might obtain and its far more rigorous definition of critical infrastructure.
Finally, the new law should benefit from some outside suggestions such as strengthening provisions against compromised foreign-made hardware.
The bottom line is that the country does not need a duel between 20thCentury clichés; it needs the very best ideas from all sides to bolster American security with an unprecedented 21stCentury government-private sector partnership. By the way, that means that it is worth taking the time in Congress to get this right—not rushing to a vote orbypassing normal procedures.