Cybersecurity: Talking Points vs. Substance

In the late stages of a legislative battle, it often comes down to "talking points." Whoever puts out the message that sticks wins the debate—damn the substance.

Rep. Mike Rogers (R-MI) is prioritizing talking points over substance if a CQ report about a speech he gave to the Ripon Society is accurate. (He put it up on his Web site, from which one could infer endorsement. Rogers is not a cosponsor of SOPA, the Stop Online Piracy Act, so let's not have the government taking down the house.gov domain just now, mkay?)

From the report:

"We’re finding language we can agree on," he said in a speech to the Ripon Society, a moderate Republican group. "Are we going to agree on everything? Probably not. They don’t want anything, anytime, ever." But, Rogers said, he hopes to give the groups "language that at least allows them to sleep at night, because I can’t sleep at night over these threats."

This seems to suggest that a few tweaks to language, well in the works with the privacy community, will make his version of cybersecurity legislation a fait accompli. I'm a keen observer of the privacy groups, and I see no evidence that this is so. The bill is so broadly written that it is probably unrepairable.

And that is a product of Congress's approach to this problem: Congress does not know how to address the thousands of difference problems that fall under the umbrella term "cybersecurity," so it has fixed on promiscuous (and legally immunized) "information sharing" with government security agencies as the "solution." Privacy can rightly be traded for other goods such as security, but with no benefits discernible from wanton information sharing, one shouldn't expect sign-off from the privacy community.

That is not actually the message of the privacy community, who, on average, trust the government more than most conservatives and libertarians. The mainstream privacy community probably would accept highly regulatory and poorly formed cybersecurity legislation if it had enough privacy protections. But Rogers' talking points try to push privacy folk onto the "unreasonable" part of the chess board, saying, "They don’t want anything, anytime, ever."

That's closer to my view than anything the orthodox privacy advocates are saying. Cybersecurity is not an area where the federal government can do much to help. But even I said in my 2009 testimony to the House Science Committee that the federal government has a role in improving cybersecurity: being a smart consumer that influences technology markets for the better.

What Representative Rogers—and all advocates for cybersecurity legislation—have failed to do is to make the affirmative case for their bills. "I can't sleep at night" is not an answer to the case, carefully made by Jerry Brito of the Mercatus Center at Cato's recent Hill briefing, that the threat from cyberattacks is overblown.

The briefing was called "Cybersecurity: Will Federal Regulation Help?" That's a place one can go for substance.