Response to Paul on Cyber-Regulation for Critical Infrastructure

Last week Paul outlined his case against regulation of cybersecurity for Critical Infrastructure (CI).  He promises more analysis to come, but I wanted to post a few responses now, for while I don’t love government regulation, and while I agree with much of what Paul says, I do not find his case on its terms persuasive. On the demand side for regulation, Paul does not appear to question the idea that private CI firms lack proper incentives to engaged in cybersecurity investments sufficient to protect national security or that, in theory, the government might have a role in correcting this incentive problem.  Rather, Paul focuses on the extent of the threat and the costs of regulation.  I will address Paul's points briefly (with Paul’s points in italics). “Regulation is only necessary if you think that cyber vulnerabilities of CI are an existential threat.”  I am not sure what Paul means here, for clearly the government regulates all sorts of matters that do not present existential threats.  Moreover, even Senator McCain, who opposes the Lieberman-Collins approach, says that the “inevitability of a large-scale cyberattack is an existential threat to our Nation.”      “We would not be thinking of a new regulatory scheme just to deal with cyber crime.  This isn’t accurate.  We (meaning the U.S. government and others involved in cybersecurity) are thinking of new regulatory schemes to deal with cyber crime.  To take one of many examples, the FCC recently proposed, and major ISPs agreed to, the U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs) which constitutes “a new code of conduct aimed at mitigating cybercrime.”  The principles are voluntary for now but this is a first step toward more robust regulation.  Also, as Paul notes, “NERC now sets cybersecurity standards for the electric industry, for example, and the CFATS program I mentioned above already has cybersecurity performance standards for the chemical industry.”  There are scores of other examples. “The entire premise of the pro-regulation argument is that large swathes of our CI are vulnerable to, say, Chinese attack.   But that’s not an accurate assessment of the actual risk – either right now or any time in the near to mid-term.”  Paul worked on these matters in the government, and so he is in a position to know.  But his assessment of the risk differs dramatically from others he worked with in government, and from those in government now, including prominent opponents of Lieberman-Collins, like Senator McCain.  Paul provides no evidence for his claim.  But nor do those on the other side of the issue.  This is a key point.  If CI is not in fact terribly threatened by cyber-operations, the argument for regulation decreases.  I do not know how to sort out this important factual premise and it is doubtful that we can based on public information.  Congress will need to assess this issue, including the classified threat information, carefully. “Regulation is also not the only way that governments deal with externalities.  We sometimes deal with them through other means like subsidies, taxes, and the imposition of liability.  And sometimes, if the costs of fixing the externality are greater than the costs imposed by the externality, we just live with it.  In general, regulation is one of the less effective methods – it is subject to well-known risks of regulatory capture and information asymmetry that make it a poor choice of methodology for dealing with externalities.”  I agree with this save the last sentence, but I think we have a definitional difference here.  I consider subsidies, taxes, liability, and government-enforced standards to be different forms of government regulation – they are different ways that the government seeks to achieve certain ends through incentives or compulsion or both.  Yes, agencies can be captured, and yes, they can suffer information deficits.  (Subsidies, taxes, and liability also have well-known costs.)  But this argument is at far too high a level of generality to assess (for it condemns all of what Paul calls regulation).  Also: Does Paul favor subsidies, taxes, or liability to address cybersecurity for CI? “Regulation is an especially poor choice for use in a dynamic and changing environment where the performance standards we might develop today are almost certainly irrelevant to the architecture of the Internet as it will exist in, say, three years.”  It depends on the regulation.  Lieberman-Collins tries to encourage basic performance standards largely crafted by industry, and leaves it to firms how to meet these standards in a changing technological environment.  That said, I am sensitive to the costs of regulation on the development of and innovation in digital goods.  The question is whether these costs – whatever they are (I have seen little concrete analysis of these costs) – are justified because of the costs of non-action in public encouragement of defense for CI.  The basis Lieberman-Collins approach seems like a sensible, relatively small step in dealing with a problem that the government (contrary to Paul) says is a severe crisis.  I might be wrong about this – in truth I do not know how to assess the costs of regulation versus the costs of non-regulation, and I have not seen any good analysis of that crucial issue in this context.  Nor do I think such an analysis will be forthcoming, because so much information is classified, and because metrics are very hard in this context. “No Federal agency is suitable to lead this regulatory effort.”  This is a real problem, I think.  Many people think DHS is incompetent, and NSA, which has competence, is not trusted in this context.  While I think this is an important argument, I do not think it can suffice as a reason against regulation that is otherwise warranted.  If there is a problem that only government can properly fix, government must find a way to fix it.  It cannot claim simply that it doesn’t have an ideally crafted agency. “The entire focus of the proposed regulatory structure is misguided” because it focuses on defense and not resiliency.”  I don’t see why we have to choose.  Both are important.  If Lieberman-Collins is missing a strategy for resiliency, that is an argument for adding one.  But it is not an argument for not taking defense seriously.  No one thinks, by the way, that “adequate protection can prevent cyber intrusions” (my emphasis).  The point is to raise the costs of intrusion, to make cyber intrusions harder.  Regulation rarely aims to eliminate a disfavored practice; it aims, rather, to reduce its incidence to an acceptable level.     “Finally, the rush to Federal regulation will have significant adverse effects on Internet governance and our international posture.  Cyberspace is a borderless domain and an American regulatory system will not mix well with that structure.”  This is overstatement.  Cyberspace is not remotely a borderless domain (Tim Wu and I wrote a book on this topic).  The United States – and every nation – regulates the Net differently, and the Net still works.  Paul is right to suggest (as Tim and I argued in chapter 9) that regulation of the Net can lead to regulatory spillover effects.  This happens all the time, and indeed, such effects are inevitable.  Those effects might be good or bad, depending on which regulatory scheme prevails.  However, I do not see how the Lieberman-Collins imperative to enhance CI protection could plausibly lead DHS to create the international problem Paul asserts. Bottom line:  Summarizing grossly, Paul’s argument appears to be (a) the threat and the incentive problems for defense are not severe, (b) the costs of regulation will be enormous, and (c) DHS is not competent to regulate in this context.  On (c) I defer to Paul (who used to work in DHS), but I do not think this is a powerful argument against any form of regulation.  Concerning (a), two different presidential administrations, and many in Congress, disagree with Paul.  The hard issue, and the one on which Paul focuses most, is (c): the costs of regulation.  Paul’s arguments are abstract, but there will certainly be many costs of regulation, just as there are many costs of regulation in every regulatory context, including successful ones.  The key issue is how to weigh the costs of regulating cyber CI against the costs of not doing so.  I doubt any one knows how to run that calculation with certainty, and thus the debate proceeds on the basis of intuitions about the threat and intuitions about the cost of regulation.  Let’s hope the government guesses right.