(Page 4 of 4)
Proposed cybersecurity legislation presents more opportunities for pork spending. The Cybersecurity Act of 2010, proposed by Sens. Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) called for the creation of regional cybersecurity centers across the country, a cyber scholarship-for-service program, and myriad cybersecurity research and development grants.
Before enacting sweeping changes to stop cybersecurity threats, policy makers should clear the air with some simpler steps.
First: Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy discourse may be good for the cybersecurity-industrial complex, but they aren’t doing real security any favors.
Second: Declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, as the CSIS report and Clarke and Knake’s book both acknowledge, and declassification would allow the public to verify the threats rather than blindly trusting self-interested officials.
Third: Disentangle the disparate dangers that have been lumped together under the “cybersecurity” label. This has to be done if anyone is to determine who is best suited to address which threats. In cases of cybercrime and cyberespionage, for instance, private network owners may be best suited and may have the best incentive to protect their own valuable data, information, and reputations.
Only after disentangling the alleged threats can policy makers assess whether a market failure or systemic problem exists in each case. They can then estimate the costs and benefits of regulation and other alternatives, and determine what if anything Washington must do to address the appropriate issues. Honestly sizing up the threat from cyberspace and crafting an appropriate response does not mean that we have to learn to stop worrying and love the cyber bomb.
Jerry Brito is a senior research fellow at the Mercatus Center at George Mason University and director of its Technology Policy Program. Tate Watkins is a research associate at the Mercatus Center.