Government and the private sector need to be on the same page, the author says. Failure of leadership on cybersecurity

The Senate Thursday took up “comprehensive” legislation to address the serious cybersecurity threat facing our nation. This legislation — at President Barack Obama’s request — would impose massive federal regulation on the private sector.

As a result, the Senate could miss a real opportunity this year for a cybersecurity bill — though, back in April, the House passed consensus legislation whose essential premise has strong bipartisan support in both Houses. The reason the Senate is likely to fail is many senators (along with the majority of the House) understand that massive federal regulation — particularly in this troubled economy — is the wrong answer to these problems.


The Senate’s inability to find middle ground here can be traced directly back to the president’s failure to exercise serious leadership. The White House launched its push last May to get Congress to legislate on cybersecurity. The administration sent up a proposal that was so regulation-heavy and weak in other areas that not a single House or Senate member would support it.

Then, when the House was on the verge of passing strong bipartisan legislation, the president threatened a veto rather than seriously working with us. Though 42 Democrats joined with 206 Republicans to pass a House cyber intelligence bill, the president continued with his regulation-heavy proposal in the Senate.

Obama two weeks ago wrote a Wall Street Journal op-ed piece urging Congress to send him “comprehensive” cybersecurity legislation, including aggressive regulation to tell the private sector how to protect itself. The president raised the specter of massive disasters across the nation — trains being derailed, drinking water contaminated, financial crises, public health emergencies and electricity blackouts — all driven by cyber-attacks.

The president argued in favor of more regulation, saying that just as the government tells some companies how high to build fences, it should be able to tell every major economic sector how to protect its computers. Obama seems to think that if the federal government didn’t mandate door locks, people wouldn’t secure their houses.

Majorities on both sides of the Hill agree that’s just wrong.

Rather than regulating first, they want to begin addressing cybersecurity by getting the government and the private sector on the same page, sharing information about cyberthreats and how to protect themselves. The law now puts many barriers in the way of such sharing. So getting rid of them would be a strong step in the right direction.

There is also a firm consensus in Congress about just such threat information-sharing. All the major Senate cybersecurity bills contain information-sharing provisions similar to those passed by the House, though some versions are certainly better than others.

Yet the Senate will most likely still fail to act on any cybersecurity legislation this week because Obama continues to press for strong regulatory authority.

The reason we differ on regulation versus information-sharing is simple: The president clearly believes that the government is best placed to set cybersecurity rules for the whole economy — and it should do so now. I believe, however, that we must ensure that the private sector gets the right information to make good decisions about protecting its own systems — so it can innovate in response to new threat information — before we reach for a regulatory stick.

Given that we all agree that the private sector now doesn’t have full access to threat information, there can be no question that the president’s call for massive regulation is at least premature — if not fundamentally wrong.

Jumping to regulation now also runs contrary to our market-based economic system. It doesn’t give the market a chance to react to cyberthreats based on full information. Perhaps most important, threat information-sharing will help the private sector protect itself against the biggest cyberthreat we face today: the continual pillaging of nearly every sector of our economy by nation-states like China, which are stealing the core research-and-development secrets at the heart of our innovation economy. The president didn’t mention this threat at all.

The president’s advocacy in favor of strong federal regulation also reflects an essential misunderstanding of how fast cyberthreats evolve and how quickly we must shift to keep up.

Under the best of circumstances, any federal regulatory process could take months, even years, to develop and implement standards to protect against cyberthreats long since obsolete. So it could do little to defend against current threats.

The president’s regulatory approach also enjoys little support in the technology industry and Congress — specifically because it would stamp out cybersecurity innovation in favor of solutions that meet the slow, groaning requirements of the federal regulatory machine.

Given the threats we face today, and the consensus between both chambers of Congress and the White House that more information-sharing needs to happen, we must not let the debate over regulation stall progress here. The Senate must drop its failed effort to resolve the regulatory debate and instead simply pass a strong cybersecurity threat-sharing bill — along with other consensus measures — that can be sent to the president for his signature before the end of this Congress.

This bill would promote innovation without imposing stifling regulations. It’s the right way to protect America from cyberthreats. The president ought to lead the way and encourage the Senate to pass this now.

Rep. Mike Rogers (R-Mich.) is the chairman of the House Permanent Select Committee on Intelligence.