OBAMA’S CYBER ATTACK

The Wall Street Journal

  • September 24, 2012

Obama’s Cyber Attack

The White House’s looming power grab to regulate the Internet.

President Obama and Congress have checked out of Washington until after Election Day. But caveat, citizen. Their absence isn’t preventing harmful policy from spawning along the Potomac.

A case in point is a back door move to regulate the Internet. Any day now, the White House will issue an executive order on cybersecurity, according to Homeland Security Secretary Janet Napolitano, who said last week that the measure “is close to completion.”

The executive moved on its own after Congressional efforts stalled this summer amid Administration opposition. Ms. Napolitano shed crocodile tears over the Senate’s failure to adopt comprehensive cybersecurity legislation, even as the White House goes ahead with its order in the face of vociferous opposition on Capitol Hill.

What Ms. Napolitano didn’t say might help readers understand the cynical politics involved. The Administration worked to scuttle a compromise on the Hill. The Senate split over mandating IT security standards for private companies, and the Administration’s order resuscitates this contentious idea. It will also undercut efforts to fashion a bipartisan bill in a lame duck Congress.

Good legislative options exist. In a bipartisan vote, the House of Representatives in April adopted the Cyber Intelligence Sharing and Protection Act, which is a reasonable template for the Senate. Sponsored by the senior Democrat and Republican on the intelligence committee, it allows companies and government to work together to combat cyber threats.

Banks, chemical plants and utilities—the most significant and vulnerable targets for hackers and terrorists—could draw on the expertise of the National Security Agency, FBI and other federal departments to protect their networks. The government would understand and be better able to respond to fast-changing threats. This bill and a Senate version offer companies liability protection to encourage them to monitor their systems and report attacks and breaches—something an executive order can’t do.

Days before the House vote, however, President Obama surprised the Democratic co-sponsors by threatening to veto the measure. The White House cited privacy concerns. If voluntary and sporadic sharing of company IT information constitutes a surveillance program in disguise—as privacy scolds suggest—it’s the daffiest one ever invented.

The Administration’s evident motive is to impose government oversight of cyberspace. As it worked to undercut information sharing, the White House pushed the Senate to adopt mandatory IT standards for companies in “critical sectors.” Those provisions were weakened in later drafts of the measure, but Senate Republicans still sensibly balked at the attempt to give Ms. Napolitano’s DHS oversight over the virtual world, and any bill with such mandates could never pass the House.

Negotiations in the Senate over the August recess on a new version were fruitless. That’s not surprising, since the Administration had already decided to move ahead with its pet ideas by executive fiat.

According to leaked versions of the draft, the executive order would impose security standards for 16 critical industries. The adoption of these “voluntary” (ironic quotes intended) and probably costly measures could be a condition for private companies to win federal contracts. A DHS-led cybersecurity council will decide who’s “critical.” Twitter and Facebook could easily end up on the list along with electricity providers or financial services firms.

The Obama push is a case of the medicine being worse than the disease. DHS bureaucrats are no match for the dynamic and fast-changing world of technology. Any static standards they draw up will be an invitation for teen hackers or Chinese government cyber rogues to get around them.

Private companies have innovated and invested heavily to protect themselves without regulatory prodding. What they need from the government is an information-sharing program and liability protection. These measures are simple and useful, and therefore not surprisingly missing from the Obama Administration’s command-and-control approach to cybersecurity.

 

Share

Leave a Reply

Search All Posts
Categories