If you’re not at the table, you’re on the menu.
That aphorism about Washington, D.C. power games certainly applies to the “cybersecurity council” that a draft Obama Administration executive order would create.
The failure of cybersecurity legislation in Congress was regarded as “a blow to the White House“—heaven knows why—so the plan appears to be to go ahead and regulate without congressional approval. Under the draft EO, a Department of Homeland Security-led cybersecurity council will develop a report to determine which agencies should regulate which parts of the nation’s “critical infrastructure.”
Keep an eye on that phrase, “critical infrastructure,” because it’s a notorious weasel-word. I argued in 2009 congressional testimony that something might be critical if “compromise of the resource would immediately and proximately endanger life and health.” But the CSIS report—the prominence of which is matched only by its lack of rigor—said, “[C]ritical means that, if the function or service is disrupted, there is immediate and serious damage to key national functions such as U.S. military capabilities or economic performance.”
When hungry bureaucrats are doing the interpreting, economic performance means “anything.” The subjectivity of “immediate” and “serious” don’t change that.
So the “cybersecurity council” will sit down at a table and carve up the economy to determine which agency regulates what industry in the name of “cybersecurity.” They’ll wheel and deal amongst themselves over everything that might fail with imagined “critical” consequences—nevermind that they have no idea what to do about it.
Then it’s fake it ‘til you make it. Though they haven’t got authority from Congress, these agencies will act as though they do. Businesses that don’t participate in government standard-setting will risk having the standards used against them in liability actions. Companies that don’t participate in “voluntary” information-sharing will see their ability to win government contracts erode.
Again, I don’t see why the Obama administration thinks it matters so much to seize power under the “cyber” banner. Perhaps they’re taken in by the gross threat-exaggeration that pervades in this area. But Steven Bucci of the Heritage Foundation has it right:
The President should resist the temptation to ladle on a new regulatory bureaucracy (or bureaucracies) simply to satisfy the need to “do something.” If it is not done right, it will do damage. Let the debate continue until it is done right, Mr. President. It’s called the democratic process, and it invariably provides the best answers, even if it takes awhile.