U.S. Cybersecurity Policy: Problems and Principles

Published August 1, 2013

Cybercrime and cyberattacks are genuine threats, with reports of data breaches, hacks, or thefts appearing regularly in the news. But as law enforcement, industry, academic, and government experts prepare to gather in New York City on August 5–8 for the fourth International Conference on Cybersecurity (ICCS 13), it’s worth asking whether the threat has been overstated and the government’s approach to it, overreaching.

In “U.S. Cybersecurity Policy: Problems and Principles,” a new Policy Brief from The Heartland Institute, IT policy analyst Steven Titch summarizes the three broad categories of cyberthreat – theft/fraud, espionage/exposure, and disruption/destruction – and describes the appropriate responses to each. He explains why “the current, one-size-fits-all approach to cybersecurity, exemplified by CISPA [the Cyber Intelligence Sharing and Protection Act], the Cybersecurity Act, and CFAA [the Computer Fraud and Abuse Act] cannot help but fail.”

Titch also explains why fears that the U.S. may be vulnerable to a cyberterrorist attack are likely overblown and should be viewed rationally. Could a cyberattack cause death and destruction on a massive scale? Could power plants be shut down, the rail system be hacked so freight trains derail or crash, or the air traffic control system be so crippled as to cause mid-air collisions? Titch addresses all of these concerns and more.

For policymakers and those they represent, Titch offers seven principles of sound cybersecurity policy. He notes the flaw in cybersecurity policymaking to date “is that it sees cybersecurity as something separate and apart from conventional law-and-order and national defense issues.” Effective cybersecurity, he writes, builds on existing laws and law enforcement mechanisms; his first principle of sound cybersecurity policy is: New laws should be a last resort.