How would you like the Department of Homeland Security to be in charge of your IT security?
If Congress has its way the folks who run the TSA would be given the power to require better computer security of companies with systems "whose disruption could result in the interruption of life-sustaining services, catastrophic economic damage or severe degradation of national security capabilities."
Don’t worry too much, though. The decision about which companies to regulate would be made “with input from businesses.” For some reason that doesn’t make me feel any better.
This is from the bill being pushed by Senate Majority Leader Harry Reid (D-Casinos) and supported by the White House. It’s just one of 30 or so such bills currently percolating on the Hill.[*] As with much legislation, it starts with a good intention: Shielding vital infrastructure, including the power grid and water supply, from cyber attack. It’s believed that as much as 85 percent of the nation’s critical infrastructure is owned and operated by private companies.
And, as with much legislation, it basically extends government power without actually improving anything. Businesses already know hacking is costing them money – this is really the only incentive needed for them. Fortunately and unsurprisingly, a lot of industry groups are lobbying against this because of the additional costs it would mean. What businesses really want is a law that would give them legal protections so they can share information with authorities without risking antitrust or privacy violations.
There are some helpful things the government could be doing on this issue. First is facilitating the sharing of best security practices by companies in control of vital infrastructure. The other is to make sure all levels of government follow vigorous security protocols and require the same from outside contractors.
There are many cases where government regulation of business is needed. Those mostly have to do with guaranteeing individual rights and maintaining the free and fair operations of markets. Cybersecurity is one that the profit motive is going to handle just fine.
[*]The clever acronyms are already out in force: H.R. 3674 is the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act.