The Federal Government's long-term plan to 'do something' about the security of critical national infrastructure reached another milestone today with the floating of some trial balloon proposals for voluntary industry incentives.
Just in case my tone didn't come through there, while I think the issues involved here are important, I think and expect very little from the Federal Government's involvement. My principal reason for this is that I can't believe that the government can tell private companies how to secure their networks better than they can themselves. Market and liability incentives really ought to be enough, and if they aren't it's because management isn't being held sufficiently accountable.
(An aside: I despise the term 'cybersecurity.' It's more a political than a technical term and doesn't really have a clear definition. But I think we're stuck with it.)
Some of the ideas in the proposals released today by Michael Daniel, the Special Assistant to the President and Cybersecurity Coordinator, are not bad, but others seem to me like they're just muddying the waters. Even the good ideas don't necessarily merit involvement of our Cybersecurity Czar.
The idea of cybersecurity insurance is obviously one which is being worked out already between insurance companies and their customers, and common sense for both sides should lead them to the conclusion that more secure companies should pay lower premiums. Why do we need the Federal Government to 'engage' with the insurance industry to do that which is plainly in their own interest? It's like when government pays farmers to do soil conservation.
Grants, process preference, public recognition, all these likely to be of marginal value to a company that qualifies as 'critical infrastructure.' Liability limitation could be a great incentive for industry, tied closely in with the insurance incentives, but I don't seriously expect it from this administration.
This effort to develop voluntary incentives came from Congress's failure to pass legislation in this area last year. The administration decided to move on with proposals they could exercise through executive action. And yet, some of the proposals sound like they would have to have legislative approval, limitation of liability being one of them. I wonder whether the same is true of the proposal for rate recovery for price-regulated industries, a proposal which would also involve state and local decisions. As for the proposal to streamline regulations, not only is it the most tired of policy bromides, but the administration has had a Regulatory Czar ("Administrator of the Office of Information and Regulatory Affairs") since 2009. Just a few months ago Howard Shelanski was named to this position to replace Cass Sunstein. Do we need a whole new bureaucracy to administer the streamlining of regulations?
Finally, it's worth asking whether private industry should take computer security advice from Michael Daniel. Like me, Daniel has a degree in public policy, but he has spent his career in the government, largely in the executive administration of intelligence services. He has been involved in federal cybersecurity efforts for several years, but that doesn't impress me.
The Bush administration was every bit as phony on these matters as the Obama administration, so the charade that the Federal Government is engaged in these problems is an old and established one by now. So far, the mission of the Cybersecurity Czar seems to be to issue a report every couple years calling for further study of the matter. At least they're only wasting our money like this rather than actively making things worse.