Code Red

How Capitol Hill politicking has undermined cybersecurity--again. 

The U.S. Congress has been considering two significant cybersecurity bills, the Revised Cybersecurity Act of 2012, which failed a procedural vote in the Senate on Thursday, and the Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives.* Their significance comes from their shortcomings: Both bills have fallen prey to the limits of the current American political climate, where special interests and disputes over the appropriate role of government have combined to harm national security -- and, as a result, neither will do much to protect the United States from cyberthreats.

Congress knows that weak cybersecurity endangers the country -- and that America is dangerously unprepared -- but it cannot muster a majority to support serious defensive measures. The same forces that have kept Capitol Hill in gridlock on many important issues have also blocked effective cybersecurity legislation. That said, Congress does not want to be in the position, after the inevitable cyberdisruption, of having to say it knew but did nothing.

The political solution to gridlock is to pass weak legislation and pretend it will work. This is the CISPA story. House Republicans created a Cybersecurity Task Force last year to develop ideas to strengthen cybersecurity. The report they issued in October was fair and accurate. Had the House enacted its unanimous recommendations, which included regulation of critical infrastructure, the nation would be safer. The recommendations formed the basis of a comprehensive bill introduced in the Homeland Security Committee. Unfortunately, for reasons that are unclear, but likely relate to concerns about the Department of Homeland Security (DHS), small-government ideology, and the pressures of an election year, the House suddenly reversed course and withdrew the comprehensive cybersecurity bill from consideration, with some members saying that they no longer supported the report they had endorsed a few months earlier.

The demise of the task force-inspired bill meant the House needed something to take its place. The solution was to elevate CISPA. CISPA began as a measure to remove the legal impediments to information sharing between companies and the government. This information can include "signatures" and other cyberthreat indicators, such as intelligence information, reports of successful penetrations, and information on the identities or network addresses of the "attacking computers" (This category raises potential privacy problems that CISPA worked hard to address). Many people agree that the United States needs to update legislation on communications and privacy, and CISPA does good work in this regard (pace the privacy community), but it is not really a cybersecurity bill and sharing information is a feeble response to a serious threat.

Politicians like information sharing because it doesn't actually require them to do anything. Information sharing was a central part of the Clinton administration's cybersecurity policy created in 1998 by Presidential Decision Directive 63. Information sharing didn't work then, it hasn't worked since, and it won't work now. America is more vulnerable to cyberattack after years of relying on voluntary action and information sharing because information sharing does not change the economic incentives for inaction. Companies assess the probability that a threat will become an attack, and if there is an attack, whether they will be held liable. They weigh the cost of preventive measures against the risk of liability. Almost all conclude that the liability risk for cyberattack is too low to justify greater effort. This is a sensible business decision but does not help national security. Sharing cyberthreat information is not enough to protect critical infrastructure because it is the attacks we don't know about, the attacks that exploit unknown vulnerabilities, that create the greatest risk.

Particularly after their experience with the "warrantless surveillance program," where companies that cooperated faced a plethora of lawsuits, corporations are understandably reluctant to share information with the government. CISPA would lower the risk of sharing information by offering them liability protection, but it does not create incentives for securing networks. In private, some members of Congress will tell you that they know CISPA is not enough. Nevertheless, in public, they trumpet CISPA as a cybersecurity bill. One powerful motive for its passage, as a House member privately told companies, was that it would "help protect you from regulation."

The bogeyman of regulation appeared in the Lieberman-Collins bill (now the Revised Cybersecurity Act of 2012), which incorporated language from bills drafted by Senators Jay Rockefeller, Olympia Snowe, Dianne Feinstein, and Tom Carper. The bill, in draft for three years, gave DHS the ability to regulate critical infrastructure. This provoked howls of rage from some conservative opponents because it ran contrary to the belief that the private sector does not need help from big government. There are sound reasons to be critical of Keynesian economics without also sacrificing public goods. Big government is best avoided, to be sure, but no sane person has ever said that the private sector can carry the burden of national security. Nor is anyone calling for an end to Federal Aviation Administration regulation and instead relying on market incentives for safe flight. The fate of the cybersecurity bills is part of a larger and damaging political debate on the role of government.

To be fair, early drafts of the Cybersecurity Act had problems. No one on either side of the aisle was comfortable giving DHS more authority -- its failure to perform in the first years of its existence told heavily against it. What's more, the bill did not precisely define what critical infrastructure would be covered by the new law, giving the impression that DHS would regulate the entire economy. And it was too prescriptive, requiring DHS to approve companies' cybersecurity plans in advance -- a sure way to ensure delays and backlogs.

At the same time, proposed amendments from opponents were ridiculous. To limit the definition of "covered" critical infrastructure, they proposed that only facilities where cyberattack would produce "a mass casualty event comparable to the consequences of a weapon of mass destruction," "mass evacuations of a major population center," or "catastrophic economic damage" would be covered. The Stuxnet worm, for example, would not have been caught under this definition. Amendments like these showed that many opponents of the bill, in and out of Congress, are not serious about cybersecurity.

When the Cybersecurity Act was finally introduced in February, many issues had been fixed. DHS would no longer approve plans in advance. Company CEOs would only need to certify once a year that they had taken steps to secure their networks, using measurable outcome-based guidelines. DHS would not prescribe how they should do this, but simply define outcomes that a company could then use any technology or technique to achieve. This was very light regulation, but for some it was still too much.

Encouraged by business interests, seven ranking minority members from relevant Senate committees rushed an alternative bill into play. The first draft of this alternative bill was simply a copy of early versions of the Lieberman-Collins bill, with the new authorities removed. It, like the "mass casualty" definition, was intended only to block the Cybersecurity Act, not to make Americans more secure -- any politician or lobbyist will tell you it is hard to stop something with nothing.

The Revised Cybersecurity Act that reached the floor last week was drastically amended in an effort to secure more support. One amendment that did not survive built on ideas from Senators Sheldon Whitehouse and Jon Kyl. It would have kept a standard-based approach and annual certification, but made it voluntary for all companies except those that the government designated as critical to national security. An example would be a critical defense facility in a remote area that depended on a small electrical company whose networks may be vulnerable to attack.

This approach could have worked. The only requirement would have been an annual certification by CEOs. Critical infrastructure would have been protected. And DHS would not have become an über-regulator; instead, existing regulatory agencies would have overseen compliance with cybersecurity standards.

Alas, the Revised Cybersecurity Act of 2012 relies on voluntary action -- for everyone, regardless of their importance to national security. But what everyone does now is entirely voluntary, and more of the same will not improve security. The bill offers weak incentives for companies to certify that their networks are secure. It continues the overreliance on information sharing, accompanied by complicated protections to assuage the privacy community. Regulatory agencies can make cybersecurity standards mandatory to the limits of their existing authorities. The bill simply translates the status quo into legislation -- a status quo we all know is inadequate.

Few companies are likely to certify themselves because the incentives in the bill don't compensate for the regulatory risk this creates. A promise to "study" procurement preferences isn't much of an incentive -- it's like promising to study whether you should repay someone who lent you money -- and in any case, infrastructure companies are often sole providers for whom "preference" is not an incentive. The basic problem -- true since 1998 -- is there are no incentives sufficient to make companies in most critical infrastructure sectors take voluntary action to bring the security of their networks to the level needed for national defense.

Congress could fix this if it revised the Cybersecurity Act one more time to give the federal government the ability to mandate compliance with reasonable standards when this is needed to defend the nation, but there is probably not enough time before Congress goes out of session to do this. Most observers believe that the United States will only get effective cybersecurity legislation after there has been a crisis and that the country will then overreact, trampling privacy and putting in place rigid requirements. No one on the Hill wants this outcome, but it may be unavoidable.

The fate of cybersecurity legislation is symptomatic of a larger political crisis. Congress knows there is a problem, but cannot agree on a fix. That the cybersecurity bills fall short is not the fault of the sponsors and drafters of the bills, whose goal has always been to protect the nation. They have struggled for years with difficult issues and an intransigent opposition from shrink-government zealots and business groups. Whether these bills become law or not, the task of finding new, effective ways to secure the country's infrastructure and networks will now revert to the executive branch.

* This article has been updated to reflect the Senate's vote on Thursday.

AFP/Getty Images



Mitt Romney don't know much about economic history.

"Culture makes all the difference," Mitt Romney told an intimate gathering of Israeli businessmen at Jerusalem's posh King David Hotel. "And as I come here and I look out over this city and consider the accomplishments of the people of this nation, I recognize the power of at least culture and a few other things."

The U.S. Republican presidential hopeful, whose own net worth is estimated at roughly $250 million, went on to compare Israelis' economically comfortable existence with the more straitened circumstances in Palestinian areas. The comment predictably drew the ire of Palestinian leaders, with one senior official deriding it as "racist."

Despite the controversy, Romney then doubled down on his argument in a short op-ed for the National Review, asking, "But what exactly accounts for prosperity if not culture?"

Unfortunately for Romney, the answer is: quite a lot. True, his cultural explanation for why Israel is richer than Palestine has sparked an important debate that rarely occurs in the parochial, U.S.-centric world of American presidential elections. And given the important role the United States plays in global affairs, a presidential candidate's views about why the United States is more economically successful than most parts of the world are an important indicator of how he would approach the job.

Unfortunately, Romney's views are seriously out of sync with those of the great mass of social scientists. For one, as his more extended argument in the National Review illustrates, he confuses "culture" with institutions. By culture, social scientists mean people's values and beliefs. Romney refers to Americans' "work ethic," which is cultural, but he also claims that political and economic freedoms are the real keys to economic success. But political and economic freedom are not guaranteed by (or even related to) culture but by institutions, such as the U.S. Constitution or its system of property rights. Romney did cite Harvard University historian David Landes, who did indeed argue that values and beliefs are crucial for economic development, as providing the intellectual origins of his views -- but his focus on institutions is much more in line with our book Why Nations Fail than with Landes. Indeed, the facts on the ground in the Middle East illustrate the power not of culture, but of institutions.

It is true, of course, that living standards are much higher in Israel than in Gaza or the West Bank -- the gap is even wider, in fact, than Romney claimed. Israelis have much higher levels of educational attainment and better technology, and they benefit from much better provision of public services -- for example, roads, health care, and water -- than their Palestinian neighbors. There is also no denying that there are important cultural differences between Palestinians and Israelis: For instance, the former are primarily Muslims, while the latter are primarily Jewish.

But is there any cause-and-effect relationship between these cultural realities and differences in prosperity? The evidence suggests not. In fact, as economists Maristella Botticini and Zvi Eckstein point out in their recent book, The Chosen Few: How Education Shaped Jewish History, the origins of the high human-capital levels of Jews are in the historical adoption of educational institutions in Jewish society that induced people to become highly educated. This decision then led Jews to have a comparative advantage in trade and commerce -- specializations that have served them well in the modern world. This is where the roots of Israel's current prosperity lie, because these highly educated people migrated there, bringing their institutions with them. There was no cultural proclivity that led Jews to introduce or sustain these rules forcing Jews to educate their children. Rather, they emerged out of a political struggle between the Pharisees and the Sadducees to control Jewish society.

These new Israelis migrated to a place that had suffered a long history of colonial exploitation under the Ottomans and the British, who created extractive political and economic institutions -- in order words, political institutions that concentrated power narrowly and economic institutions designed to redistribute income and power to themselves at the expense of society. The Israelis replaced these with mostly inclusive institutions that encouraged technological progress and economic growth and created the Middle East's first democracy, but did not spread it to the Palestinians.

This happened for several reasons, none of them cultural. Let's start with the long history of Arab-Israeli enmity: The existence of the state of Israel was contested by the surrounding Arab states, leading to a long series of conflicts and Israel's capture of the West Bank and Gaza in 1967. It is hardly surprising that the Palestinian territories -- under occupation and geographically separated from each other -- were unable to develop inclusive political and economic institutions under such circumstances. The effects of the conflict haven't just been limited to the Palestinians: Several authoritarian Arab governments have used it to divert the attention of their citizens and consolidate their corrupt grip on power.

The Middle East conflict extracts political and economic costs on the Palestinians to this day. Israel continues to expropriate large tracts of land in the West Bank for settlements, and of course such insecure property rights have been disastrous for investment and prosperity on the Palestinian side. Both territories have also had serious economic restrictions imposed on them by the Israeli government, not to mention the destruction of infrastructure and buildings.

All this may be justified as necessary to maintain the security of the Israeli state, but it has obvious consequences for Palestinian prosperity. In addition, the Palestinians have not done well at creating the type of inclusive political institutions that are critical for generating economic development. This is mostly because the conflict and struggle for statehood damages accountability and creates serious political polarization, not due to any innate cultural differences.

Leaving aside the case of Israel and Palestine, we show in Why Nations Fail that Romney's ideas about "freedom" are much closer to the right way to think about relative prosperity than his ones about "culture." Rich countries are those that have created inclusive political and economic institutions. These spread political power broadly in society and make it accountable; they create an economy that can harness the talents, skills, and creativities of the vast mass of their citizens. We also show that cultural differences simply cannot account for the differences in economic prosperity we see today. They are either irrelevant, as in the case of the Israelis and the Palestinians, or they are themselves the product of institutional differences.

The most dramatic example of this is the divide between North and South Korea -- a previously cohesive cultural entity driven apart by war and radically different institutions. Since their split six decades ago, the South has prospered under its inclusive system, while the North -- with its extractive institutions based on central planning and continuous repression -- has been driven to the brink of famine. Bizarrely, Romney cites the case of the Koreas to support his culturalist argument. But the divergence of these two countries obviously cannot be blamed on deeply rooted cultural factors -- the only explanation is institutional differences and geopolitical realities. If Romney truly wants to understand the irrelevance of cultural factors to countries' success or failure, it's not Jerusalem he should've visited -- it's the Demilitarized Zone.