In the face of an onslaught of espionage – industrial or otherwise – via “cyber” means, the government has every right to demand better solutions from industry. This includes both “security” applications as well as basic technology. Government is also right to be concerned about the level of cyber security in those industries that provide essential services to its citizens. A government that cannot provide safety and security for its people isn’t much of a government.
Of course almost all of the industries that supply said services are in private hands, even if they are subject to government regulation. That regulation does not come without a cost, which is what most industries balk at when they’re told by the government that they need to improve security. There is nothing like having all the responsibility but none of the authority or resources.
One could argue that the rhetoric surrounding pending legislation, specifically the Cybersecurity Act of 2012, sounds eerily like that espoused in the aftermath of 9/11 (not trying to conflate the two) in that bad things are happening and that if we don’t so something drastic now, then who knows what will happen tomorrow. Except that it is thinking like that that gets us outfits like DHS and TSA, which were well-meant, but have turned out to be less-than-optimal approaches to national security problems.
The elephant in the room of course is that the cyber-based threat to national security (directly or through the chain of relationships that make up the industries and technologies used in the defense of the nation) remains essentially unchanged from year to year, it is only the attention to the problem that is on the rise. Specific techniques may change, and the victims will vary, but only someone with no depth of experience – or a really bad memory – would say otherwise. There is no “cyber 9/11” coming or “Digital Pearl Harbor” around the corner. The “wake up call” all the popular pundits warn about went off decades ago, we’ve just been hitting the snooze button.
Cyber is ascendant because the actual 9/11 was a decade ago and the kinetic activities that have taken center stage in the national security arena are waning. Eventually interest in dealing with the “imminent” cyber threat will wane as well (it tends to be about a five-year cycle) because something shiny and kinetic will appear to distract us from this perpetual and hard-to-understand problem.
We need better cyber security in this country – and worldwide – but that is not going to be accomplished via legislation; at least not as it is crafted normally, much less if it is rushed. Even the most well-thought-out and forward-looking law passed tomorrow would be overtaken by events by the time the next President is sworn into office. That’s not a dig on lawmakers, it’s simply a factor of technology.
Successfully combating cyber threats means devising tactics that operate at the same speed and on the same scale as what we are trying to stop. Any governmental effort to fight fire with fire – and across the whole forest – is a non-partisan course of action we should all get behind.