One of the arguments [I’ve been making](http://techliberation.com/2010/10/20/what-is-the-evidence-for-cybersecurity-regulation/) about proposed cybersecurity regulation and legislation is that despite a lot of hype about a massive online threat, there is little evidence to corroborate the dire warnings. Almost every article I’ve read revealing a breach or cyberattack only quotes anonymous government sources, then defense contractors and politicians point to these articles and proclaim, “If you only knew what we know, you’d be taking action now!”
Fear, however, is poor driver of public policy. Before we start telling private companies how to run their security, we should analyze the threat and asses whether there is a legitimate concern and whether government could do a better job. That’s impossible as long as most evidence of a threat is classified.
So I’m glad to see former NSA and CIA chief Gen. Michael Hayden call for less secrecy in order to get better analysis. In the [new issue](http://www.au.af.mil/au/ssq/spring11.asp) of Startegic Studies Quartley, he writes [[PDF]](http://www.au.af.mil/au/ssq/2011/spring/hayden.pdf):
>Let me be clear: This stuff is overprotected. It is far easier to learn about physical threats from US government agencies than to learn about cyber threats. In the popular culture, the availability of 10,000 applications for my smart phone is viewed as an unalloyed good. It is not—since each represents a potential vulnerability. But if we want to shift the popular culture, we need a broader flow of information to corporations and individuals to educate them on the threat. To do that we need to recalibrate what is truly secret. Our most pressing need is clear policy, formed by shared consensus, shaped by informed discussion, and created by a common body of knowledge. With no common knowledge, no meaningful discussion, and no consensus . . . the policy vacuum continues. This will not be easy, and in the wake of WikiLeaks it will require courage; but, it is essential and should itself be the subject of intense discussion. Who will step up to lead?
Who indeed. Congress may be getting secret briefings that outline a potential cyberthreat. If they are, they should recognize that they may be only getting one view of the issue. Also, the people on whose behalf they are legislating also deserve to have a clear understanding of the risks against which Congress might legislate. “Trust us,” is not good enough. By reducing the over-classification Hayden writes about, Congress could allow economists, computer scientists, and other academics delve into the weeds of determine what is the true nature of the threat and whether a market failure exists that calls for government intervention.