Research & Commentary: Cybersecurity

Published December 13, 2012

Cyber-terrorism, hackers, identity theft, and viruses threaten to disrupt digital networks. Given the increased reliance of many industrialized nations on computers to manage their economies and basic infrastructure, digital attacks represent a severe threat.

Sens. Joe Lieberman and Susan Collins proposed the Cybersecurity Act in February 2012. The bill failed in Congress in November 2012, but there is talk that President Barack Obama may implement it through an executive order.

The plan increases regulation by combining the Department of Homeland Security’s (DHS) cybersecurity programs into one office and giving DHS the power to work with private companies to standardize cybersecurity protocols for private companies that operate components of the nation’s critical infrastructure. The proposal also calls for private companies and the federal government to share information on possible cyber-threats.

Opponents of the proposal argue it gives DHS too much power and allows Internet service providers and other Web companies too share too much private information with the government without a warrant. Human rights and privacy groups oppose the proposal, arguing it is too vague and does not do enough to protect private information. It is also devoid of important details, including funding and a lack of clarity on which infrastructure would be considered critical, and it relies too much on technology.

Ultimately, the government’s cybersecurity plan places too much faith in regulation and ignores the private sector’s success in combating cyber-threats. Government efforts to protect the nation’s digital infrastructure are both well-intentioned and defensible in principle, but a slate of new regulations is not the right response.

The following articles examine in greater detail cybersecurity and the efforts to combat cyber-threats.

Cybersecurity Bill Killed, Paving Way for Executive Order
Eric Engleman of Bloomberg discusses the failure of the Cybersecurity Act in Congress and the possible future of cybersecurity reform, which some experts predict will reemerge as an executive order. 

Demise of Cybersecurity Bill Means Executive Order on the Way
Taylor Armerding of CSO Online reports on the current state of cybersecurity reform. Armerding argues the demise of the Cybersecurity Act of 2012 clears the way for President Obama to issue an executive order implementing at least some of the major elements of the bill. The article cites political observers who believe an executive order was Senate Majority Leader Harry Reid’s endgame since the bill failed the first time in August. 

No Cybersecurity Act Is Better than a Flawed One
Steven Titch of the Reason Foundation examines the federal government’s proposals for cybersecurity reform and contends their approach, which relies on top-down government mandates, a blind faith in surveillance and identification technology, and centralized management and control of both the network and information, is not the right policy for protecting U.S. computer systems and data. “Instead of collecting data on citizens and creating Internet kill switches,” he writes, “the government needs to adopt policies based on industry best practices. Good policy, at heart, protects the information infrastructure—and by extension consumers, individuals and enterprises—by raising awareness and changing behavior.” 

Is Cybersecurity a Public Good? Evidence from the Financial Services Industry
This paper from the Independent Institute asks whether private businesses, when left to their own devices, provide enough cybersecurity or if some form of government involvement is justified. 

Obama’s Cyber Executive Order: More Government Control of the Network
Paul Rosenzweig of The Heritage Foundation discusses the Obama administration’s draft executive order on cybersecurity. Rosenzweig argues Republicans and Democrats in both houses of Congress rejected a regulatory approach and the U.S. needs responsive, nimble cybersecurity defenses and policies that will not come from more regulations or government-set standards. 

Insurance and the Computer Industry
This article examines the role the insurance industry will have in determining development of cybersecurity systems. 

Reducing Systemic Cybersecurity Risk
This report, part of a broader OECD study into Future Global Shocks by Peter Sommer and Ian Brown, looks for examples of events or disasters that could induce failure of the global financial system. They authors conclude very few single cyber events have the capacity to cause a global shock. Nevertheless, governments need to make detailed preparations to withstand and recover from a wide range of cyber disasters, both accidental and deliberate, they write. 

The Law and Economics of Cybersecurity: An Introduction
Mark F. Grady and Francesco Parisi introduce work by leading national scholars examining the complex national challenges of cybersecurity from a law and economics perspective. They consider a range of approaches, from pure market solutions to public-private plans, providing insights into the appropriate governmental role in cybersecurity. 

The Alarming Trend of Cybersecurity Breaches and Failures in the U.S. Government
In two publications, Paul Rosenzweig of The Heritage Foundation examines a growing trend in cybersecurity breaches in the U.S. government. Rosenzweig argues national cybersecurity should be a cooperative effort between the private sector and government, with each contributing in its own way. Onerous regulations are not the solution to the ever-expanding reality of cyber threats. 

Research & Commentary: Cyberinsurance
Heartland Institute Senior Policy Analyst Matthew Glans outlines the development of the cyberinsurance market and its function in promoting cybersecurity. 

Cybersecurity Bill Introduced in Senate
Writing for the Heartlander digital magazine, Alyssa Carducci reports on how growing concerns about cybersecurity threats prompted a bipartisan group of U.S. senators to introduce legislation to combat the problem. Private-sector companies that operate critical infrastructure systems, however, say the bill goes too far, she reports.

Nothing in this Research & Commentary is intended to influence the passage of legislation, and it does not necessarily represent the views of The Heartland Institute. For further information on this and other topics, visit The Heartlander’s Tech News Web site at, The Heartland Institute’s Web site at, and PolicyBot, Heartland’s free online research database, at

If you have any questions about this issue or The Heartland Institute, contact Heartland Institute Senior Policy Analyst Matthew Glans at 312/377-4000 or [email protected].