Square Off- Is Cyberterrorism Being Thwarted

Wayne Crews NO: Government should increase efforts to collaborate with the private sector. More legislation isn't the answer.

Computer attacks like MyDoom, Sobig, and others have caused billions of dollars in global economic damage. MyDoom proved to be the world's fastest-spreading virus ever, sending out more than 100 million contaminated E-mails in its first 36 hours last January. And that's just one virus. The past 18 months have yielded a record number of even more sophisticated worms and other cyberattacks.

In their wake, questions abound about Washington's cybersecurity emphasis and whether it's sufficient. In September, Department of Homeland Security's cybersecurity czar, Amit Yoran, who had warned of a digital Pearl Harbor, abruptly resigned—the third administrator to do so—amid rumors of his frustration with the lack of attention paid to computer security at the agency.

Of course, it's not certain how much any government can do in this regard. What's clear is that proposing more legislation—which has been the government's answer to making the Internet more secure—hasn't done much good. The private sector needs to resolve the problems.

For example, last year's Can-Spam Act did little to stop the problem. On the contrary, it may even have inspired businesses to begin sending unsolicited E-mails. Moreover, the law doesn't address cyberthreats directly: The bad guys don't obey the law, and many viruses originate abroad and, therefore, aren't subject to U.S. regulation.

This impulse toward regulatory solutions has been a mistake. The government should focus on arresting computer criminals, not on cyber-regulations. In addition, the Bush administration itself should make sure it doesn't become a cybersecurity risk by undermining individual privacy in this age of proposed national ID cards to regulate encryption.

What the government can do is protect its own networks and set internal government-security product standards to get its own house in order. In addition, the administration should increase efforts to collaborate with the private sector. Private-sector experimentation in cybersecurity is necessary. The marketplace is increasingly forced to address cybersecurity, and efforts are under way, such as Microsoft's automating of security. Important cybersecurity concerns surround information sharing, anonymity, and questions of insurance and liability-all issues that CIOs and chief security officers deal with every day.

When the market makes mistakes—for example, spam blacklists—it's easier to change than bad government legislation.

Private innovations in security can create an environment where insurers feel more comfortable offering liability coverage. In addition, businesses could develop authentication technologies far more capable than those we have today. If vendors were starting from the ground up, it's likely they'd invent new solutions to put authentication at the core of a fully commercial network.

Even in the best case, it's not clear what government could really fix. But if government continues on its current path, a lot more could break.

C. WAYNE CREWS is VP for policy and director of technology studies at the Competitive Enterprise Institute, a non-profit group.

Print page