Archives: February, 2012

The Tragedy of U.S. Iran Policy

The latest orchestrated frenzy over Iran’s nuclear program is reaching a crescendo. If the Obama administration were genuinely interested in increasing the prospects for a diplomatic resolution, it would be trying to lessen Iran’s perception of insecurity. Instead, every new policy initiative on Iran heightens that insecurity. Unless Iran responds to all of this in a way that few predict it will, each day brings us closer to another war in the Middle East.

Iran likely wants a nuclear option, if not a nuclear weapon, for a variety of reasons. The most important is security. The different treatment meted out to Iraq and Libya, on the one hand, and North Korea and Pakistan on the other taught Iran that the only sure way to avoid being attacked by the United States is to acquire a nuclear arsenal. Iran also probably seeks the international prestige of being at least an incipient nuclear state.

When Iran hears the constant threats emanating from Washington—the almost daily repetitions that a preventive war is “on the table,” attempts to strangle the Iranian economy, and legislation taking containment off the table—Tehran’s belief that the United States has aggressive intentions is confirmed. Iran knows that a nuclear capability wouldn’t provide it with power projection capability or allow it to dominate the Middle East. Rather, Iran would move from being a weak state with no deterrent to a weak state with a small deterrent. Tragically, the main reason America and Israel are so frantic about the Iranian nuclear program is that neither country wishes to allow itself to be deterred by Iran. In an election year, all of the political pressure on the administration is going to push the administration to make the problem worse, not better.

Cybersecurity Hype

The approving response of an IT security professional last week pointed me to a story about cybersecurity in which I’m featured. The story and accompanying video are called: “Is Cyberwar Hype Fuelling a Cybersecurity-Industrial Complex?” It’s a really good look at how government contractors, many former government officials, are working Washington to generate an issue.

How rare is it that a cybersecurity news report includes even a word of doubt about the nature and scope of the threat? How rare is it that any news report includes a word of doubt about the nature and scope of threats?

My correspondent, who works at a public utility in IT security, said some things that are fascinating and important.

We are being asked to do things that have no practical risk reduction value purely for the perceived benefit. It takes no effort to say that the cyber world is about to end yet it takes tremendous effort to continually demonstrate that we are prepared for anything.

In other words, operators of so-called “critical infrastructure” are already wasting effort on things that look like improved security because they’re in the position of proving that nothing could ever go wrong. This is because cybersecurity fear-mongerers are spinning apocalyptic tales. Imagine what it will be like when varied government bureaucracies are calling on the private sector to prove they are implementing endlessly varying, imagination-based federal cybersecurity dictates.

Now, a few caveats are in order: Cybersecurity is a real problem, and there are many challenges presented to all organs of society in securing computers, networks, and data. I’m quoted in the story saying there is “no chance whatsoever” that nuclear power plants and electric infrastructure would be hacked and taken down for any significant period of time. The more accurate phrasing would have been that the chance is “exceedingly small.” The point remains that these problems have nothing of the scale or significance of the war or terrorism (except to the extent that terrorism is also an important but entirely manageable problem).

In the event of some future, modest-consequence event, I fully expect to be called out as having been a Panglossian cybersecurity naysayer. (It’s a tactic one would expect from advocates who misstate basic math to hype threats.) Not so. I expect some bad things to occur. I don’t believe that centralizing our country’s cybersecurity efforts with the federal government would position us better to prevent them or respond to them.

Government Workers vs. Their Unions

As part of the payroll tax bill on Friday, Congress voted to tweak federal worker benefits. New federal hires will be required to make an additional contribution to their pension plans. While just a small change, federal worker unions railed against the bill as if were armageddon.

The American Federation of Government Employees called the pension change an “outrageous injustice that deserves the vociferous opposition of every Member of Congress with a conscience.” The AFGE was “outraged” by the bill because ”no group has sacrificed like federal employees” in recent years. Union press releases can be good for a chuckle.

Anyway, not all federal workers agree with their union heads. One member of the AFGE found a Cato essay on government unions online, and she was so ticked off with her union that she sent me these comments on Friday:  

As a member of AFGE, I often receive emails from my union leaders urging me to action … I am being urged to contact my congress members, asking them to oppose the payroll/unemployment insurance extension bill. Personally, I have not paid much attention to this particular bill or the consequences to passing such a bill. However, I am deeply offended by the constant calls from my union to oppose any limits put on the pay and pension of federal employees.

As a federal employee, I enjoy a generous salary, health benefits, vacation, and a comfortable pension. AFGE repeatedly states that reductions in federal employee pay ‘cost’ federal employees money. I understand that a freeze in my pay is not a reduction in my salary, but a reduction in deficit spending. My salary comes at the expense of taxpayers and future generations of Americans who will be required to pay down the debt.

It saddens me that the dues I pay via automatic payroll deduction are sent FIRST to my national union, then leftover change is sent to my local union. I have a voice in how my local union functions. I have virtually no say in what my national union does. I do not vote for my national union president. I do not get to decide how much of my dues go to support my national union. I do not have a voice about what issues my national union spends money on.

In the years that I have been writing about government union and compensation issues, I have received many emails from government employees. Most have opposed my views on curbing pay and union power.  When I say “opposed” I mean that foul language is not uncommon. But I have also received numerous thoughtful emails from government workers who are proud of their jobs and appreciate their compensation, but are concerned by the dysfunction of their agencies and by the retention of deadweight workers who receive generous pay but provide little return to taxpayers.

Thus, one suggestion I have for news organizations is to dig a little bit for their stories about government workers and government agencies. Talk to some actual workers in the trenches, rather than just quoting or parroting what the union heads are saying.  

Why We Honor George Washington

Today is some vaguely named “Presidents’ Day,” but Wednesday is the anniversary of George Washington’s birth. So it’s a good day to remember the contribution he made to the American republic. I wrote this several years ago:

George Washington was the man who established the American republic. He led the revolutionary army against the British Empire, he served as the first president, and most importantly he stepped down from power.

John Trumbull, “General George Washington Resigning His Commission”

In an era of brilliant men, Washington was not the deepest thinker. He never wrote a book or even a long essay, unlike George Mason, Thomas Jefferson, James Madison, Alexander Hamilton, and John Adams. But Washington made the ideas of the American founding real. He incarnated liberal and republican ideas in his own person, and he gave them effect through the Revolution, the Constitution, his successful presidency, and his departure from office.

What’s so great about leaving office? Surely it matters more what a president does in office. But think about other great military commanders and revolutionary leaders before and after Washington—Caesar, Cromwell, Napoleon, Lenin. They all seized the power they had won and held it until death or military defeat.

John Adams said, “He was the best actor of presidency we have ever had.” Indeed, Washington was a person very conscious of his reputation, who worked all his life to develop his character and his image.

In our own time Joshua Micah Marshall writes of America’s first president, “It was all a put-on, an act.” Marshall missed the point. Washington understood that character is something you develop. He learned from Aristotle that good conduct arises from habits that in turn can only be acquired by repeated action and correction – “We are what we repeatedly do.” Indeed, the word “ethics” comes from the Greek word for “habit.” We say something is “second nature” because it’s not actually natural; it’s a habit we’ve developed. From reading the Greek philosophers and the Roman statesmen, Washington developed an understanding of character, in particular the character appropriate to a gentleman in a republic of free citizens.

What values did Washington’s character express? He was a farmer, a businessman, an enthusiast for commerce. As a man of the Enlightenment, he was deeply interested in scientific farming. His letters on running Mount Vernon are longer than letters on running the government. (Of course, in 1795 more people worked at Mount Vernon than in the entire executive branch of the federal government.)

He was also a liberal and tolerant man. In a famous letter to the Jewish congregation in Newport, Rhode Island, he hailed the “liberal policy” of the United States on religious freedom as worthy of emulation by other countries. He explained, “It is now no more that toleration is spoken of as if it were the indulgence of one class of people that another enjoyed the exercise of their inherent natural rights, for, happily, the Government of the United States, which gives to bigotry no sanction, to persecution no assistance, requires only that they who live under its protection should demean themselves as good citizens.”

And most notably, he held “republican” values – that is, he believed in a republic of free citizens, with a government based on consent and established to protect the rights of life, liberty, and property.

From his republican values Washington derived his abhorrence of kingship, even for himself. The writer Garry Wills called him “a virtuoso of resignations.” He gave up power not once but twice – at the end of the revolutionary war, when he resigned his military commission and returned to Mount Vernon, and again at the end of his second term as president, when he refused entreaties to seek a third term. In doing so, he set a standard for American presidents that lasted until the presidency of Franklin D. Roosevelt, whose taste for power was stronger than the 150 years of precedent set by Washington.

Give the last word to Washington’s great adversary, King George III. The king asked his American painter, Benjamin West, what Washington would do after winning independence. West replied, “They say he will return to his farm.”

“If he does that,” the incredulous monarch said, “he will be the greatest man in the world.”

Soviet-Style Cybersecurity Regulation

Reading over the cybersecurity legislative package recently introduced in the Senate is like reading a Soviet planning document. One of its fundamental flaws, if passed, would be its centralizing and deadening effect on society’s responses to the many and varied problems that are poorly captured by the word “cybersecurity.”

But I’m most struck by how, at every turn, this bill strains to release cybersecurity regulators—and their regulated entities—from the bonds of law. The Department of Homeland Security could commandeer private infrastructure into its regulatory regime simply by naming it “covered critical infrastructure.” DHS and a panel of courtesan institutes and councils would develop the regulatory regime outside of ordinary administrative processes. And—worst, perhaps—regulated entities would be insulated from ordinary legal liability if they were in compliance with government dictates. Regulatory compliance could start to usurp protection of the public as a corporate priority.

The bill retains privacy-threatening information-sharing language that I critiqued in no uncertain terms last week (Title VII), though the language has changed. (I have yet to analyze what effect those changes have.)

The news for Kremlin Beltway-watchers, of course, is that the Department of Homeland Security has won the upper-hand in the turf battle. (That’s the upshot of Title III of the bill.) It’s been a clever gambit of Washington’s to make the debate which agency should handle cybersecurity, rather than asking what the government’s role is and what it can actually contribute. Is it a small consolation that it’s a civilian security agency that gets to oversee Internet security for us, and not the military? None-of-the-above would have been the best choice of all.

Ah, but the government has access to secret information that nobody else does, doesn’t it? Don’t be so sure. Secrecy is a claim to authority that I reject. Many swoon to secrecy, assuming the government has 1) special information that is 2) actually helpful. I interpret secrecy as a failure to put facts into evidence. My assumption is the one consistent with accountable government and constitutional liberty. But we’re doing Soviet-style cybersecurity here, so let’s proceed.

Title I is the part of the bill that Sovietizes cybersecurity. It brings a welter of government agencies, boards, and institutes together with private-sector owners of government-deemed “critical infrastructure” to do sector-by-sector “cyber risk assessments” and to produce “cybersecurity performance requirements.” Companies would be penalized if they failed to certify to the government annually that they have “developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements.” Twenty-first century paperwork violations. But in exchange, critical infrastructure owners would be insulated from liability (sec. 105(e))—a neat corporatist trade-off.

How poorly tuned these security-by-committee processes are. In just 90 days, the bill requires a “top-level assessment” of “cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all critical infrastructure sectors” in order to guide the allocation of resources. That’s going to produce risk assessment with all the quality of a student term paper written overnight.

Though central planning is not the way to do cybersecurity at all, a serious risk assessment would take at least a year and it would be treated explicitly in the bill as a “final agency action” for purposes of judicial review under the Administrative Procedure Act. The likelihood of court review and reversal is the only thing that might cause this risk assessment to actually use a sound methodology. As it is, watch for it to be a political document that rehashes tired cyberslogans and anecdotes.

The same administrative rigor should be applied to other regulatory actions created by the bill, such as designations of “covered critical infrastructure,” for example. Amazingly, the bill requires no administrative law regularity (i.e., notice-and-comment rulemaking, agency methodology and decisions subject to court review) when the government designates private businesses as “covered critical infrastructure” (sec. 103), but if an owner of private infrastructure wants to contest those decisions, it does require administrative niceties (sec. 103(c)). In other words, the government can commandeer private businesses at whim. Getting your business out of the government’s maw will require leaden processes.

Hopefully, our courts will recognize that a “final agency action” has occurred at least when the Department of Homeland Security subjects privately owned infrastructure to special regulation, if not when it devises whatever plan or methodology to do so.

The same administrative defects exist in the section establishing “risk-based cybersecurity performance requirements.” The bill calls for the DHS and its courtesans to come up with these regulations without reference to administrative process (sec. 104). That’s what they are, though: regulations. Calling them “performance requirements” doesn’t make a damn bit of difference. When it came time to applying these regulatory requirements to regulated entities (sec. 105), then the DHS would “promulgate regulations.”

I can’t know what the authors of the bill are trying to achieve by bifurcating the content of the regulations with the application of the regulations to the private sector, but it seems intended to insulate the regulations from administrative procedures. It’s like the government saying that the menu is going to be made up outside of law—just the force-feeding is subject to administrative procedure. Hopefully, that won’t wash in the courts either.

This matters not only because the rule of law is an important abstraction. Methodical risk analsysis and methodical application of the law will tend to limit what things are deemed “covered critical infrastructure” and what the regulations on that infrastrtucture are. It will limit the number of things that fall within the privacy-threatening information sharing portion of the bill, too.

Outside of regular order, cybersecurity will tend to be flailing, spasmodic, political, and threatening to privacy and liberty. We should not want a system of Soviet-style regulatory dictates for that reason—and because it is unlikley to produce better cybersecurity.

The better systems for discovering and responding to cybersecurity risks are already in place. One is the system of profit and loss that companies enjoy or suffer when they succeed or fail to secure their assets. Another is common law liability, where failure to prevent harms to others produces legal liability and damage awards.

The resistance to regular legal processes in this bill is part and parcel of the stampede to regulate in the name of cybersecurity. It’s a move toward centralized regulatory command-and-control over large swaths of the economy through “cybersecurity.”

Local Governments Also To Blame For Housing Crisis

Most narratives of the financial-mortgage-housing crisis tend to focus on what are essentially demand-side factors.  Whether it is federal mortgage subsidies, like Fannie Mae, or reduced interest rates via loose monetary policy, these policies increase the demand for housing by allowing, and encouraging, more buyers to enter the market.  As I’ve written in more detail elsewhere, this narrative ignores the supply side of the market.

If housing supply could easily adjust to the increased demand that arises from other policy interventions, then prices would be unlikely to increase.  In fact, if supply increased more than demand, we could see falling house prices, despite the various federal subsidies.  The point is that for a price boom to develop, you need some sort of rigidity in supply (inelastic supply, as we economists would say).

So who has the most influence over housing supply?  Local governments.  A recent article in the January 2012 issue of the Journal of Urban Economics provides empirical evidence ”that more restrictive residential land use regulations and geographic land constraints are linked to larger booms and busts in housing prices. The natural and man-made constraints also amplify price responses to the subprime mortgage credit expansion during the decade, leading to greater price increases in the boom and subsequently bigger losses.”  A similar argument has been made by Cato scholar Randal O’Toole.

The lesson here is that if we want to avoid future property booms and busts, with their devastating impact on financial institutions, we also need to reform our local land use controls to allow for the more rapid response of supply to changes in demand.   Again, it wasn’t a lack of regulation that caused the crisis, but too much regulation, particularly of the land/housing market.

Senator Harkin’s Definition of Success

At a Senate Agriculture Committee hearing earlier this week, Senator Tom Harkin (D-Iowa), gave somewhat parenthetical comments (the main focus of the hearing was energy, rural development and crop insurance) on federal nutrition programs. Parenthetical they may have been, but I think they signify something important.

Harkin’s remarks on nutrition programs (or “food stamps” as they are more commonly, if less accurately, called) begin at about 52:30 and end at about 53:35 or so of this video. The part that most struck me was when the senator was describing a meeting he had with some Iowa consitutents. He had this to say [an official transcript is not yet available, but my trusty intern Ian Yamamoto listened to Harkin’s remarks and transcribed them for me]:

I just had my weekly breakfast this morning with Iowans. Had a big group there from the diocese of Davenport, a Catholic dioceses, and that’s what they wanted to talk about: was not backing off of our support for low-income people who are facing tough times now, with high rates of unemployment, that need the supplemental nutrition  assistance program, or as it’s called, food stamps. And I thought one of the statements made there was kind of profound they said ya know, someone’s accusing this president of being a food stamp president. One of them said well he ought to wear that as a badge of honor

OK, hold it right there. Really? The fact that millions of this nation’s people depend on the federal government to feed themselves is a badge of honor? Can we all agree, please, that regardless of how you feel about the federal government’s role and responsibility in providing a safety net—of food stamps or anything else—that this is not a situation to be proud of? According to Lisa Levenstein and Jennifer Mittelstadt, writing in the New York Times earlier this month, the food stamp program feeds 46 million Americans, about 15 percent of the U.S. population. But they point out that if everyone who was entitled to the program actually used it, we would see 20-25 percent of Americans on food stamps. They also, by the way, see the high numbers using food stamps as a good thing: “Conservatives are trying to smear Barack Obama by dubbing him the ‘food stamp president.’ He should not run from the label but embrace it…”

I don’t mean to pick on food stamps here—it’s not the policy hill on which I would choose to die. But I really do object when politicians or welfare advocates start celebrating dependency. We should all be talking about ways to cut the number of people needing food stamps in the first place.

Senator Harkin has form on this issue, by the way.