The plain truth is that the United States cannot defend the electronic systems that create much of our wealth and power. The government alone cannot fix this. Most of our networks are privately owned and operated. Even if government had the resources to strengthen and police these networks (it doesn't), we don't want the government living in the channels through which we conduct our business and private lives. Nor do we want the government mandating invariably rigid standards for industry. Unfortunately, however, much of our critical industry is not stepping up to the task.
Congress should learn a lesson and deal with cyber vulnerabilities one at a time and not in an omnibus bill that won't pass. Here's what it should do:
1. Require the owners and operators of a narrow class of critical infrastructure to promptly develop cyber security standards in a government-approved process. Standards should be flexible and regulatory layers should be rationalized. Failure to meet these standards after a reasonable interval should be made public.
2. Amend or repeal laws to enhance the role of private insurers in security standards. When shareholders rather than government bear risk, risk drops because businesses buy it down. That dynamic should be encouraged, not suppressed.
3. Protect companies from liability for sharing threat information with the government, with insurers, and among themselves. Companies often complain that the government doesn't share enough information with them -- especially classified information. But why don't companies improve security by sharing cyber threat information among themselves? The ostensible reason is fear of antitrust liability. The real reasons are potential damage to their brand and the belief that hoarding threat information creates competitive advantage. But the risk of brand damage can be avoided if sharing is restricted to threats, not damage; and it can't be true that all companies in an industry have a competitive advantage in security. Those that don't would improve their competitive position by sharing threat data. As a former antitrust prosecutor, I think the antitrust excuse is a red herring, but let's remove the excuse. It's easy to do, and cost free.
4. Encourage private investment in cyber security through favorable tax treatment. When Congress gets serious about an issue, its agenda shows up in the tax code.
We don't just store information on our "information" networks; we use them to run everything we do -- from the ventilation and security system in your office building, to the operation of the switches on Amtrak and big city subways, to the matching and clearing systems behind our securities exchanges, the governance of the electricity grid, controls over off-shore drilling rigs in the North Sea and the Gulf of Mexico, and local water treatment plants. Many of these systems are poorly protected. The vulnerability of our critical infrastructure is what permits a third-rate power like Iran to play jujitsu with a superpower. Let's not wait for a disaster to happen. A nation that permits this vulnerability to continue is a nation that has lost the will to defend itself.