What is the evidence for cybersecurity regulation?

by on October 20, 2010 · 9 comments

I’ve been looking into the cybersecurity issue lately, and I finally took the time to do an in-depth read of the [Securing Cyberspace for the 44th Presidency](http://csis.org/publication/securing-cyberspace-44th-presidency) report, which is frequently cited as one of the soundest analyses of the issue. It was written by something of a self-appointed presidential transition commission called the “Commission on Cybersecurity for the 44th President,” chaired by two congressmen and with a membership of notables from the IT industry, defense contractors, and academia, and sponsored by CSIS.

What I was struck by is the complete lack of any verifiable evidence to support the report’s claim that “cybersecurity is now a major national security problem for the United states[.]” While it offers many assertions about the sorry state of security in government and private networks, the report advances no reviewable evidence to explain the scope or probability of the supposed threat. The implication seems to be that the authors are working from classified sources, but the “if you only knew what we know” argument from authority didn’t work out for us in the run up to the Iraq war, and we should be wary of it now.

Now, while they may not say much about what exactly the threat is, they do tell us exactly how they’d like to fix it: “Regulate for Cyberspace,” they say in a chapter heading. This includes mandatory security standards and mandatory authentication of identity using government-issued credentials for access to critical infrastructure. (Who gets to decide what counts as critical infrastructure?) The report asserts plainly:

>It is undeniable that an appropriate level of cybersecurity cannot be achieved without regulation, as market forces alone will never provide the level of security necessary to achieve national security objectives.

But without any verifiable evidence of the threat, how are we to know what exactly is the “appropriate level of cybersecurity,” and whether market forces are providing it? To its credit, the Commission recognizes that over-classification is a problem and recommends more information sharing. Until the public can see some evidence of a threat, and as long as less sober proponents of cybersecurity regulation and spending are using [alarmist rhetoric](http://techliberation.com/2010/03/01/reengineering-the-internet-for-cybersecurity/) to push their agenda, we should hope Congress takes it slow on the issue.

**Bonus:** The CSIS Commission is apparently very security conscious. The report, which is made available as a PDF, is somehow encrypted in a way that does not allow one to copy and paste or search within the document. You can copy, but when you try to paste you get garbage. Searching returns no results. Kinda not the way a free exchange of ideas happens online.

Previous post:

Next post: