Economic Perspectives: Cybersecurity Policy Reforms for the 21st Century

The United States faces formidable cybersecurity challenges as the role of information technology in business and communication continues to grow. All cyber threats are not alike. A potential lone criminal committing identity theft and fraud requires a much different policy response than the risk of state-backed hackers launching attacks against critical infrastructures. Smart, targeted policy reforms will strengthen our network security by encouraging proactive research and robust defenses to address each type of threat along every potential attack vector.

Those whose property and information are at risk are in the best position to develop, implement, and maintain cybersecurity solutions. A top-down approach to cybersecurity can never successfully identify and prioritize the vast array of relevant factors for achieving effective cybersecurity, especially in view of the rapid pace at which technology develops. Policymakers should focus on reforms that will empower the public to better protect itself. The goal should be to develop a policy environment that encourages proactive research, reporting, and defense while supporting strong encryption techniques. Mercatus Center scholars have identified several policy reforms that would help accomplish these goals.

Focus Efforts on Reducing Federal Breaches

Federal agencies now experience around 70,000 information security incidents per year. Many of these are caused by basic mistakes like giving administrator access to contractors in foreign countries, not using strong authentication techniques, not applying software updates, and leaving sensitive equipment lying around. 

• Increased cybersecurity spending has not stemmed breaches. The government is not in a credible position to help the private sector secure itself until it improves its own network security. After years of increasing spending and information sharing among agencies, the federal government’s information security incidents continue to rise every year.
• Systemic problems cannot be resolved by quick fixes. The federal government’s cybersecurity weaknesses are not merely superficial issues that can be quickly resolved in a few short weeks; they are deep, pervasive, and systemic problems resulting from decades of poor information security practices.
• More of the same federal initiatives will not work. These weaknesses cannot be solved by creating new offices or agencies. In fact, as of mid-2015, there were at least 62 federal offices that publicize a mission specifically dedicated to cybersecurity. Meanwhile, many have called for these offices to take on a larger role in defending our nation’s information systems. It is unclear that these new federal initiatives will be effective when applied to the larger and less familiar information security systems of the entire nation.
• “Information sharing” is no panacea. Legislation that aims to encourage private entities to share more data with intelligence agencies by extending legal immunity to corporations is unlikely to meaningfully decrease the number of cyber breaches. Americans’ civil liberties and privacy rights are also at risk, since these proposals lack the needed transparency to assure appropriate safeguards are in place. Furthermore, federal agencies are ill equipped to secure the massive datasets that expanded information storage would require, as the 2015 disastrous OPM hack attests.

Support Strong Encryption Techniques

The first step to improve protection from foreign cyber espionage is to encourage strong encryption that is turned on by default.

• Weak encryption means weak national security. Proposals to outlaw certain encryption techniques or mandate government “backdoors” for investigators ultimately works against law enforcement because criminals can also exploit those weaknesses. Strong encryption strengthens both cybersecurity and national security because it also helps protect classified information and systems from unauthorized access. Policymakers should cease the counterproductive “War on Crypto” and instead develop ways to spread and support these technologies. 
• Internet system infrastructure should be open and auditable. Encouraging the development of an “open hardware” movement—an extension of the open-source movement that has led to software products like the Mozilla browser and the Linux operating system—will result in an Internet infrastructure, both hardware and software, that is open, auditable, and more secure.

Repeal or Reform Rules that Inhibit Security Research and Active Defense

Many outdated policies and legal norms act as counterproductive roadblocks to critical, security-improving research.

• Research, reporting, and defense should be allowed and encouraged. Computer engineers are reluctant to report innocently discovered system vulnerabilities, fearing retaliatory lawsuits. Researchers who discover vulnerabilities should have a safe way to report bugs for quick patching. They should be allowed to defend their systems when they are being attacked, while bearing full liability for any damage they cause to innocent parties. 
• Active defense against hackers is necessary. The Computer Fraud and Abuse Act (CFAA) was intended to stop fraud and abuse, but, instead it is being used to chill legitimate research and self-help. Congress should add a qualified right of active defense to the CFAA. Businesses should be free to use the technological resources at their disposal to protect themselves and their consumers, while being subject to strict liability in the event of unreasonable countermeasures against an innocent party unrelated to the attacker. This change would force those who invoke the right to active defense to internalize the risk of misattributing the source of the attack. 

Federal Agencies Should Aim to Help the Public Protect Itself 

Trusting the public by sharing information with us makes economic sense.

• Federal “zero-day vulnerabilities” should be declassified. The government has knowledge of many software vulnerabilities that the developer and vendors lack, but it often conceals this knowledge from the public and businesses. More transparent so-called zero-day policies will allow entities to patch vulnerabilities in a timely fashion and strengthen network security.
• Businesses have incentives to protect their own business. Companies and firms, on their own, are best able to solve cybersecurity issues because they have the quickest access to information about relevant threats. The best evidence shows that private firms do, in fact, spend a lot of money securing their own assets.
• Subsidies and mandates are not viable solutions. Private firms are devoting larger shares of their IT budgets to security. Businesses have a lot on the line, perhaps up to billions of dollars. Private firms may already be providing enough security for self-interested reasons and no new subsidy or mandate from the government will make a difference.

Conclusion

Cybersecurity policy should refrain from imposing sweeping, expensive, top-down solutions that could increase rigidities of existing systems. The federal government can better protect American information systems by shoring up its own network vulnerabilities, supporting strong encryption techniques, and reforming laws to encourage security research and reporting, so that the entities best positioned to do so can strengthen their own cybersecurity.