Written by Jim Harper, Director of Information Policy Studies at the Cato Institute. Posted with permission from Cato @ Liberty.
A year ago, almost to the day, I blogged about a legislative package on cybersecurity being proposed in the Senate. “Soviet-Style Cybersecurity,” I called it, because of the “centralizing and deadening effect” it would have on the many and varied efforts to respond to the many problems lumped together as “cybersecurity.” President Obama’s new executive order, titled “Improving Critical Infrastructure Cybersecurity,” has similar, if slightly more sinister, qualities.
To understand my thinking in this area, you must first understand the concepts in a superlative law review article I first read when I was doing oversight of the regulatory process as a congressional staffer. “Administrative Arm-Twisting in the Shadows of Congressional Delegations of Authority” is by University of Flordia law professor Lars Noah. In it, he described the administrative practice of imposing sanctions or withholding benefits in order to elicit “voluntary compliance” from regulated entities. The upshot? There is no “voluntary” when businesses are repeat players or under ongoing supervision of an agency.
The cybersecurity executive order has arm-twisting all over it.
It is Soviet in its attempt to bring the endlessly varied and changing problems associated with securing computers, data, and communications under a top-down federal plan. Look at how it strains to replicate the nimble action that would be produced in an environment where cybersecurity lapses simply cost businesses money:
The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risk…. The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach….
Translation: “Put spontaneous ordering in the plan.” And, shockingly, this system is supposed to be designed in just 240 days.
Then there is the provision that calls for “voluntary” participation among providers of critical infrastructure and “other interested entities.” Remember, there is no “voluntary” when an agency with supervisory authority wants action.
Finally, we come to the sinister: Section 9(c) of the order requires the Secretary of Homeland Security, along with “Sector-Specific Agencies,” to “confidentially notify owners and operators of critical infrastructure” that the government has designated them as such.
That confidentiality is a secrecy trump-card, played in advance, to chill any company that might think of challenging its designation as “critical infrastructure,” subject to all that planning, planning, planning. A business that publicly challenges its designation has already committed an offense, in our terror-stricken and cyber-gullible land, for revealing a government confidence.
Embedded firmly in their cybersecurity role, government overseers will have one job and that is to prevent a “cyberattack”—most, far more imagined than real. They will invest the resources of the businesses they direct without regard to cost-effectiveness, performance, flexibility, or any of the other market-oriented values that the executive order touts.
Even the sections of the order that promote sharing of threat information from government to the private sector have an authoritarian approach. Rather than having the government propagate information about vulnerabilities far and wide to make all computing more secure, the order creates a closed system of insiders who would be ladled out access to information they could use in their security efforts.
This is inconsistent with industry-standard security reporting practice, which is (generally) to notify the producer of a vulnerability first and all who are susceptible to it in short order. A closed system will preserve vulnerabilities in some sectors, nominally to protect government “sources and methods,” but really to preserve government power.
In my Soviet-Style Cybersecurity post from a year ago, I marveled at how “this bill strains to release cybersecurity regulators—and their regulated entities—from the bonds of law.” Reading President Obama’s cybersecurity executive order for the first time, I wrote in the margin, “Can this be brought under law?” I don’t know that it can, as the president is calling on the executive branch to twist the arms of our nation’s businesses under the cover of secrecy.