The Unpersuasiveness of the Case for Cybersecurity Regulation – An Introduction

My friend, Jack Goldsmith, wonders whether my earlier post about the pending Congressional proposal to regulate cybersecurity was a reference to General Alexander’s failure to persuade Senator McCain of the merits of a regulatory program, or an expression of my own view.  He rightly concludes that it was a little bit of both – mostly a news report about the exchange of letters, but masking some of my own skepticism.  Jack, not unkindly, asks why am I such a skeptic?  Especially when former colleagues whom I deeply admire and respect disagree? I’m afraid that the answer requires a fair amount of explanation – probably more than will fit in a single post.  So I’m going to offer an outline in this post with the promise of more to come. A Summary of the Pro-Regulation Argument The fundamental premise of Jack’s argument (echoing luminaries he quotes like Michael Chertoff and Stewart Baker – both former bosses of mine -- and others he doesn’t quote, like Richard Clarke and Michael Hayden) is that we are not adequately protecting the cyber systems that undergird critical American infrastructure (CI).  The argument runs, to quote Jack: “There is no reason to think that private firms that own CI will invest in cybersecurity defense and resilience in the ways and to the extent needed to prevent the harms to the industries and persons who depend (directly and indirectly) on the affected CI.” Jack’s argument here is that cybersecurity is a positive externality (or, flipping it around, that failing to provide cybersecurity is a negative externality) and that even a well-functioning private market will not produce the optimum amount of investment.  This, Jack argues, means that government must play a vital role in enhancing the cybersecurity of CI by regulating it.  Jack acknowledges that the structure of Title I of the Lieberman-Collins bill may not be optimal (about which more later) but argues that “the government is the only institution with the resources and the incentives to ensure that the CI on which we all depend is secure, and we must find a way for it to meet its responsibilities.”  He even goes so far as to say that those (like me) who find the regulatory case unpersuasive have our heads in the sand.  :-) [As an aside, at another point in his brief post Jack suggests that cybersecurity is, in fact, a pure public good, like national defense.  I’m pretty sure he doesn’t mean that.  First, it’s not accurate – most cybersecurity products are, in fact, private goods (like Norton Security) that are bought and sold on the private market.    Second, the implications of the position are not ones that I think Jack actually accepts --  since the classic response to identification of something as a public good is to conclude that it is a government function which the government should provide.  For public goods there really isn’t any incentive for any private actor to produce the good at all – and, clearly, that’s not happening here.  Given the rest of what he writes, I’m pretty sure that Jack and I agree that cybersecurity is (mostly) a private good with positive and negative externalities.  The only aspect of cybersecurity that meets the formal definition of a public good (that is, it is both non-exclusive and non-rivalrous), is threat and vulnerability information – as I explained in this Hoover paper.] A Short Answer As I said, the answer to this pro-regulation argument involves several distinct, yet related arguments.  To my mind any one of them is sufficient to answer the mail as a ground for opposing a regulatory régime, but others may find them persuasive only in combination.  In any event, in this first post, I simply want to outline the highlights of my argument, with the promise to follow up with posts on the subheads of the discussion (so if you don’t find my summary persuasive, perhaps you might be willing to suspend your disbelief until you see the details).  [I should mention, however, that this extended response is a labor of love – so it won’t take precedence over paying clients and the various pieces may come out over the next few weeks.]

• Regulation is only necessary if you think that cyber vulnerabilities of CI are an existential threat.  We would not be thinking of a new regulatory scheme just to deal with cyber crime.  The entire premise of the pro-regulation argument is that large swathes of our CI are vulnerable to, say, Chinese attack.   But that’s not an accurate assessment of the actual risk – either right now or any time in the near to mid-term.
• Regulation is also not the only way that governments deal with externalities.  We sometimes deal with them through other means like subsidies, taxes, and the imposition of liability.  And sometimes, if the costs of fixing the externality are greater than the costs imposed by the externality, we just live with it.  In general, regulation is one of the less effective methods – it is subject to well-known risks of regulatory capture and information asymmetry that make it a poor choice of methodology for dealing with externalities.
• Regulation is an especially poor choice for use in a dynamic and changing environment where the performance standards we might develop today are almost certainly irrelevant to the architecture of the Internet as it will exist in, say, three years.  The mean time to significant regulation in the US is 18-24 months.  In that time the speed of processing on the network doubles and the cost of data storage declines by half.
• No Federal agency is suitable to lead this regulatory effort.  DHS is not a regulatory agency and their one major regulatory program (the Chemical Facility Anti-Terrorism Standards program – CFATS) is mired in bureaucratic failure.  Other civilian agencies (like Commerce or the FTC) with some relationship to cyberspace jurisdiction lack both the breadth of authority and the technical expertise.  And the only agencies with adequate cybersecurity know-how are military agencies (NSA and Cyber Command, principally) who are not regulatory agencies at all and who we ought to be reluctant to give a lead role in defining the architecture of an essentially civilian enterprise.
• The entire focus of the proposed regulatory structure is misguided.  It recapitulates a Maginot Line type mentality that posits that adequate protection can prevent cyber intrusions.  One may read the entirety of Title I of the Lieberman-Collins bill without seeing the word “resiliency” anywhere within its text.  The structure of the statute reflects the fact that our lawmakers seem to misconceive what cybersecurity is and ought to be.  That category mistake gives me a healthy skepticism that we understand the real root of the problem – a necessary predicate to legislation.
• Plenty of regulations already exist in this sphere and their track record is modest at best.  But to the extent that we think regulation is efficacious, we are already doing it.  NERC now sets cybersecurity standards for the electric industry, for example, and the CFATS program I mentioned above already has cybersecurity performance standards for the chemical industry.  [And, yes, I do realize that this point cuts a little both ways – to the extent we already have regulation, what is the harm in the bill?  It may be none, but I suspect that the answer is the dreaded “extra layer of bureaucracy” with DHS approving NERC standards.]
• Finally, the rush to Federal regulation will have significant adverse effects on Internet governance and our international posture.  Cyberspace is a borderless domain and an American regulatory system will not mix well with that structure:
  • Border effects – what if US performance standards are not consistent, say, with Canadian?  Will protection of our unified electric grid suffer?
  • Fracturing the Network and the Market – US security standards, if we set them, will almost certainly result in the growth of such standards in other parts of the world.  There is every reason, however, to expect that American standards will not become universal.  Rather they will be different from European standards or Asian ones.  To the extent embedded in system architecture the varying standards threaten the universality of the network.  To the extent not, these varying standards will “only” be a regulatory burden borne by companies, stifling innovation and reducing profit margins.
  • Internet freedom will suffer.  Already, China argues that its regulation of the internal Chinese cyber domain is “just like” our use of NIST to set standards.  We may comfortably laugh that off now, but we will have a much harder time making the public case for internet freedom of public expression if our own security standards run at all in the direction of, say, identification requirements (as they likely will).

In short, there are many challenges in securing cyberspace today, and protecting CI.   And there are plenty of possible ways of thinking about solutions.  I neither want to overly diminish the problems nor be sanguine about the capacity to find useful answers.  I do, however, mean to express a very healthy dose of skepticism that the regulatory structure of Title I of the Lieberman-Collins bill (or anything reasonably close to that model) is a useful answer. Stay tuned …. More to come ….