The Cybersecurity Tempest in a Teapot

I don’t get what the big hubbub is about. I understand that internet types are all aflame about President Obama’s executive order on cybersecurity. Congress has been unable to reach a consensus, with a bill passing the House, but not the Senate — in part, I believe, because of opposition from the Obama Administration. 

If this is what the administration was fighting for, it is more of a pop gun than a cannon. A quick read of the executive order indicates that it is all voluntary. True, it calls on the federal government — primarily the Secretary of Homeland Security — to develop standards for cybersecurity for the owners of critical infrastructure of U.S. internet networks. And it is up to the federal government to decide who makes it onto the list of critical infrastructure, which is defined as “systems or assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”But, unless I am missing something, no private company or individual is required to adopt those standards.  So, like Obama’s gun orders, the executive order on cybersecurity is a waste of presidential power — all show but no substance. 

In fact, there is no reason why the federal government needs to perform this function. If this is just an issue of identifying the best cybersecurity practices, we should allow private industry, both the creators and consumers of advanced internet and computing technology, to develop their own voluntary standards. The federal government can then help ensure those standards become uniform simply by choosing to buy and sell internet products from those firms that offer the best balance of security versus cost effectiveness. Allow the market to develop the best way for companies to protect their internet infrastructures and information, and they can sell those products to the government.

  1. Aaron Miller
    John Yoo:

    In fact, there is no reason why the federal government needs to perform this function. ….

    If something can be accomplished without government, it should be accomplished without government.

    Beware of mission creep.

  2. lynn bateman

    Just another ruse by BHO to intrude on and manage American life.  Thanx for illuminating, John.

  3. raycon and lindacon

    Think of this as the commerce clause for the internet.  All voluntary, no obligations… at the moment.

    Once the structure is in place at Homeland Security, the requirement that it be implemented by law is ready to go.  All it takes is yet another Executive Order with the force of law.  Unlike most of the physical universe, the internet does not suffer the physical inertia of bricks and mortar commerce.  Try this control without having the infrastructure in place and functioning, and the instant rebellion of the internet culture would scramble such resistance that the structure could never be built.  Build it first and there can be no resistance.

    Obama has been in power for over 4 years now.  How long will it take before we understand how he works?

  4. Nick Stuart

    Agree with raycon and lindacon

    Also

    John Yoo:  The federal government can then help ensure those standards become uniform simply by choosing to buy and sell internet products from those firms that offer the best balance of security versus cost effectiveness.

    Charming notion, that the federal government would choose to buy and sell  from the firms offering the best balance.

    This would happen completely untainted by the thumbs of lobbyists, whose district benefits, the executive branch picking winners and losers, minority contracting, and support for memes du jour like green energy pressing down on the scales used to weigh the purchase.

    This also assumes that the cost/effectiveness balance is uniform for all sectors of the federal government and matches the cost/effectiveness balance for the private sector.

    Prof. Yoo (like Prof. Epstein), really needs to get out more. While his legal analysis is sublime, it is often accompanied by a disconnect with the reality where most of us operate. 

  5. Tuck

    “Prof. Yoo (like Prof. Epstein), really needs to get out more. While his legal analysis is sublime, it is often accompanied by a disconnect with the reality where most of us operate. ”

    Indeed, although I think Prof. Yoo is better connected, generally.

    The Feds can’t secure their own networks, the security vendors that they use can’t secure their networks.  The notion that they would be of any use in telling citizens how to secure our networks isn’t worthy of serious consideration.

    Except, I guess, in academia or Washington.

    That said, we do have a serious problem with network security…