Why Government Always Gets Cybersecurity Wrong
Otto Von Bismarck is thought to have said that if you want to respect law and sausage you should watch neither being made. Charlie Mitchell supports this view in his recent book Hacked: The Inside Story of America’s Struggle to Secure Cyberspace by providing an in-depth, comprehensive history of cybersecurity policy during the Obama administration. The chronological account explores interactions between the White House, bureaucracy, special interests, and Congress. Mitchell considers several points of view and gives the reader a thorough understanding of competing perspectives on issues such as privacy and regulation.
This is a historical work, not a theoretical one (Public Choice Theory is never mentioned), but it is of great value to Public Choice scholars because it explores issues at the heart of the discipline, such as how legislators, bureaucrats, and special interests respond to the incentives they face and how policy gets made (or not made) in light of these competing incentives.
John McCain asked for a cyber committee to be created, until he took control of a committee that dealt with it.
The Politics of Cybersecurity Legislation
The articulation of a cybersecurity policy began in earnest towards the end of the Bush administration, with the Obama White House picking up where they left off. However, after congress failed to pass legislation dealing with the issue during his first term, President Obama issued an Executive Order in February 2013 calling for (among other things) a non-regulatory approach to cybersecurity based on collaboration between the government and technology industry.
The National Institute of Standards and Technology (NIST) was tasked with developing a framework of “voluntary standards” for cybersecurity in collaboration with the tech industry. This was done through a series of conferences where representatives from the two sides met at various college campuses across the country to hash out what such a framework might look like. During and after this process, other government agencies pursued cybersecurity within their various spheres of influence, some successfully (Federal Communications Commission), some unsuccessfully (Department of Homeland Security).
A constant theme throughout the book is Congress’s struggle to pass significant cybersecurity legislation. The issue seems to constantly be before congress during Obama’s second term, but it is frequently kicked to the curb by partisan fighting, elections, government shutdowns, congressional recesses, and other legislative concerns. Cybersecurity legislation is finally passed in the house in April 2015, and in the Senate in October of the same year.
Tech industry representatives distrust government agencies and are afraid that the “voluntary” framework process will quickly devolve into harsh regulation.
As mentioned earlier, the story of cybersecurity policy during the Obama administration is ripe for Public Choice analysis because it is a story of incentives and self-interest on the part of the legislature, special interests, and bureaucracy.
Congress has very few incentives to deal efficiently with the cybersecurity problem. Doing so would most likely require the creation of a cybersecurity committee. This, however, is highly unlikely because, as retired Rep. Jane Harman says, “people in [Congress] earned their power through committee positions.” Cybersecurity is currently under the jurisdiction of several different committees, none of which will be willing to give up power or influence over such an important issue.
Mitchell shows this by mentioning that John McCain asked for a cyber committee to be created, until he took control of a committee that dealt with it. Additionally, Hacked shows how the perverse incentives of party politics and re-election push legislators to shortsighted policies. Cybersecurity legislation is repeatedly passed over because of looming elections, government shutdowns, squabbles between Republicans and Democrats, the budget, immigration, and the Iran nuclear deal. This essential element to national security that should be rather straightforward is constantly left in the hopper with little hope of floor time because politicians are busy with more “pressing” matters.
The Role of Special Interests
Special interests loom large in the discussion of any significant piece of legislation and cybersecurity is no exception. Tech industry representatives distrust government agencies and are afraid that the “voluntary” framework process will quickly devolve into harsh regulation. They and other interest groups make their voices heard throughout the legislative process. The two competing special interests seen in the book are those arguing for privacy protection such as the ACLU and the Center for Democracy and Technology and those representing the cyber industry such as the US Chamber of Commerce.
Indeed, DHS only took on cybersecurity because it “saw cyber as a potential ‘win’ area.”
To protest the Cyber Information Sharing Act (CISA) privacy advocates sent faxes to senators urging them to vote against the bill (they claimed to be using 1984 technology to protest a bill reminiscent of “Big Brother” in the George Orwell classic). On the other side of the issue, industry representatives began a “myth-versus-fact” campaign to show that CISA wasn’t a surveillance bill. Both sides end up fighting not for the best policy but for the one that benefits them the most.
The Expanding Footprint of DHS
The federal bureaucracy is an excellent example of the Public Choice principle that public actors respond to incentives the same way private ones do, namely that they are concerned with their own self-interest. The Department of Homeland Security (DHS) is seen as unwilling to cooperate with industry (it has no incentives to do so), and did little to change this reputation. DHS, which has more cybersecurity responsibilities than any other federal agency has many other concerns besides cyber, and because of this, is not incentivized to give the issue the attention it deserves.
Indeed, DHS only took on cybersecurity because it “saw cyber as a potential ‘win’ area.” The Federal Trade Commission (FTC) provides an example of a bureaucratic agency trying to enlarge its footprint. The FTC sees itself as protecting consumers from “unfair and deceptive [business] practices.” It sought to extend this power into the cyber realm and had its authority to regulate and punish companies affirmed by two 2015 court cases. Security companies took advantage of this and in a “bootleggers and Baptists” scenario created NIST framework-based products asserting that because of the FTC’s newfound powers, cybersecurity was mandatory.
However, Hacked does provide one example of public and private incentives aligning, namely, the NIST framework creation process. NIST has several institutional advantages; it is small, but well respected and “it doesn’t provoke jealousy or underhanded attacks from other government agencies because it’s not a regulator and has no interest in bureaucratic turf wars.” It was likely unable (and had few incentives) to push the private sector around.
This, as well as the fact that the framework it created was to be voluntary and the result of a collaborative process helped to create a system where the government and the private sector worked together. The non-regulatory nature of the program also meant that the threat of government regulation could incentivize companies to use the framework.
Mitchell closes the book with musings on the future of cybersecurity in the United States. Restructuring the bureaucracy or congress would better equip the government to deal with the problem and questions still remain about how to encourage companies to invest in cybersecurity and whether the government or the private sector will drive innovation. He states