Regulation Won’t Save You: Six Steps to Keep America Safe in Cyberspace

Editor’s Note: This article is adapted from the Heritage Foundation’s newly released Solutions 2016.

Cybersecurity threats are growing fast — and in ways that are hard to understand. Reactions range from denial (“It’s all hype”) to panicked cries that the digital sky is falling. As usual, the truth lies between these extremes.

Cybersecurity bills have sparked several legislative fights. Often, these have been characterized as partisan battles that have left America exposed to a growing variety of cyber threats. But that’s not very accurate. In fact, every major cyber bill introduced has gained bipartisan support as well as bipartisan opposition. The fight is not over whether cyber legislation is needed: It’s over what constitutes an appropriate response.

While the government has an important role to play in combatting the cyber-aggression of foreign nations, the answer to the U.S. cyber challenges ultimately requires harnessing the power of the private sector, not binding it down.

Indeed, the main point of contention is the degree to which cybersecurity should be the preserve of federal regulation. More regulation is Washington’s default response to almost any problem. But regulation is a 19th-century solution. Cyber threats are a 21st-century problem.

The bureaucratic regulatory process is far too slow and clumsy to keep up with dynamic, ever-changing cyber threats. Indeed, building a culture of mere compliance with regulations and a false sense of security may actually hinder security against bad actors who are agile, motivated, and clever.

Those bad actors include nation states. Many experts, such as NSA and U.S. Cyber Command chief Adm. Mike Rogers, regard Russia as the most sophisticated cyber threat, with China running a close second. Recently, a Ukrainian power grid was taken down due to a cyberattack believed to have originated in Russia. The cybersecurity breach of the Office of Personnel Management, a campaign believed to have been undertaken by the Chinese government, compromised information on over 20 million current, former, or prospective federal employees. Such attacks demonstrate the ability of countries like Russia and China to inflict serious damage. In addition to its military interests, China also has a continuing desire to blaze a shortcut to prosperity via the cyber theft of commercial intellectual property.

Iran and North Korea are much less sophisticated than these two giants, but what they lack in expertise they make up for in malice. For example, the 2012 “Shamoon” virus unleashed on the Saudi ARAMCO oil production company was a brute-force attack that destroyed 30,000 computers. North Korea has also waged high-profile cyberattacks against the United States — the most notable being the one launched against Sony Pictures Entertainment, allegedly over a movie depicting North Korea in a negative light. The hackers took terabytes of private data and publicly released confidential information — including five Sony movies.

If you think regulation is going to fix all this, think again. To address the metastasizing cyber threat, the United States must leverage the forces of the market, motivating the private sector to make the sort of continual, creative investments needed to really secure our diverse networks. The government can then concentrate on fulfilling its essential role — which is to take the proper steps to deal with nation states actively waging cyber war on our country.

Several legislative steps must be taken to get this response underway. One good step in the right direction was the latest version of Cybersecurity Information Sharing Act (CISA) contained in the FY 2016 omnibus signed into law last month. It affirmatively gives public and private organizations the ability to share information and provides clear liability protection for such sharing.

Next, Congress should pursue a cybersecurity policy that eschews a cumbersome regulatory approach and instead erects truly dynamic cybersecurity defenses. Here are six critical elements to ensure the success of such an approach.

1. Undertake Stronger International Cybersecurity Engagement

In combatting cybercrime and espionage, the United States must increase cooperation and coordination with its friends and allies. Washington should lead international efforts to “name and shame” nations that use cyberspace for malicious purposes, whether against other nations or their own people.

Regrettably, after moving briefly toward this policy, the Obama administration recently reversed course by striking an agreement with China to stop economic cyber-espionage. The Chinese, however, had no intention of abiding by this agreement; cyber operations are, for them, integral to their larger warfare-in-peacetime strategy. Unsurprisingly, they have already broken their word, yet more proof that this agreement will do nothing to keep the United States safe in cyberspace.

To effectively deter cyber-aggression, the United States. must respond to aggressive cyber campaigns by inflicting diplomatic and economic pain on the offending nations. This should include withdrawing from naive “cooperation” agreements, curtailing visas for guilty parties, and taking legal action such as filing criminal charges against those with stolen information and intellectual property. While attribution in cyberspace is often cited as a reason why such countermeasures are difficult, multiple reports by private cybersecurity firms detailing only unclassified information have been able to identify malicious actors. How much more so is the U.S. government able to identify cyber culprits with all the information at its disposal?

2. Allow and Encourage Development of an Effective Cyber-Insurance Business

Washington should encourage the gradual development of realistic liability standards, to be drawn from common law and discussions with private-sector organizations. This will be difficult, but if done with industry cooperation, it could greatly enhance security awareness and activities.

As cybersecurity risks and liabilities are better understood, cybersecurity insurers could take the lead in developing “actuary tables” from which they could sell insurance on a risk-based model: The better a company’s security, the less it would pay in premiums.

These market-driven solutions would push the private sector to invest in appropriate levels of cybersecurity without the threat of outdated and onerous government regulations.

3. Protect the Cyber-Supply Chain

Components of computers, tablets, smartphones, and pretty much everything else are made all over the world — many of them in countries, like China, that pose a serious cyber threat. A non-government organization or company could evaluate supply-chain practices, operations, and security methods, similar to the way the cybersecurity organization I am the Calvary is working to evaluate the security of Internet of Things products. Those evaluations would then be made public.

Think of it as an Underwriters Laboratories of cyber. The organization would give grades to a tech company’s supply-chain operation, much as the longstanding accreditor — famous for its “UL” stickers on everything from toasters to computers — evaluates product safety. A company receiving a very high grade could charge more for its tech products. Buyers wanting to economize could take a chance with less expensive, but potentially less secure, items. The ratings would enable customers to make informed risk-based decisions, while giving companies a profit motive to shore up their supply-chain practices.

4. Consider a Specified and Controlled Cyber Self-Defense Authority

Today, a company does not know what its rights to self-protection against hackers really entail. Whom does a hacked company call — local police, the FBI, DHS? If it is attacked and has a strong tech capability, can it fight back?

No one wants vigilantes rampaging about with no controls or parameters. To avoid that, cyber legislation should establish basic rules for self-defense that are legitimate and well known.

5. Expand the Push for Real Awareness, Education, and Training

The Obama administration has made a start to countering both the ignorance and the hype surrounding cyber threats, but the effort thus far has been too little and too seldom. We need less lip service, and more effective action: Tell people the truth about cyber threats, and give them the tools to play a role in protecting themselves, their homes, and their businesses.

This must be a broad-based effort that reaches every community in America, at all levels. It must also be a regular part of training in every company and government entity. It should be done early, often, dynamically, and continuously. Ultimately, cyber systems are only as safe as the people using them. This means reaching out to civil society organizations and businesses that can then help their students, members, and workers be safer online.

6. Develop and Keep a Superb Cyber-Workforce

Cybersecurity affects everyone and everything we do in government, business, and the military. The United States needs to promote STEM (science, technology, engineering, and mathematics) education and adjust visa and certification practices to ensure that the best and brightest can use their skills to advance U.S. security. This effort should also update the security clearances process and use the pools of talent the U.S. already has in its military, businesses, and hacker communities.

The U.S can and should do more to protect itself in cyberspace. While some of what should be done falls directly on the government, much of the work should rely on cooperation with — not coercion of — the private sector and the use of market forces.

David Inserra is a policy analyst specializing in cyber and homeland security issues at the Heritage Foundation’s Allison Center for Foreign Policy Studies. This commentary is drawn from a longer discussion in Heritage’s new compendium of policy recommendations, Solutions 2016.

Photo credit: Robert