Apparently the U.S. federal government has recognized the need for action, and the Administration and leaders in Congress have proposed a number of legislative solutions. However, I ended up feeling that we’d be better off if the government pretty much did nothing given that:
A number of practitioners described how regulations too easily lead to a “compliance culture,” where statutory requirements incentivize companies to check the right boxes, rather than implement better security
White hat hackers explained that vulnerabilities and exploit strategies are evolving much, much more rapidly than any conceivable government framework
Cybersecurity is a complex and messy socio-technical system, and the unintended negative consequences of any regulation could easily outweigh the benefits
A leading computer scientist observed that the incentives for appropriate behavior were already about right – and that a process-oriented standards framework was guaranteed to drive the technical experts out of the room.
The government therefore needs to be seen to be doing something – but the less it does, the better. This is not unlike the placebo effect, where a patient given a dummy treatment experiences a true improvement in their condition – without harmful side effects.
The problem is that while one pill looks much like another, making it relatively easy to trick a patient into thinking they’re getting a drug rather than a sugar pill, that’s harder to pull off with legislation that is made (more or less) in public, and which can be examined once it’s promulgated.
However, there are many tricks that are used to neuter legislation, making it less effective than it might appear. A politico could surely come up with a much longer and doubtless more accurate list, but I’d venture that they include:
Imposing mandates and requirements, but not funding enforcementOne could also focus the legislation on requiring studies, inter-departmental coordination and the articulation of best practicies - this would burden government officials (and the taxpayer's purse) but leave the rest of the system unaffected.
Ensuring that different parts of the law contradict each other
Providing loopholes and exemptions for everybody, leaving no-one under an obligation to do anything
In fact, it might even work if one doesn’t try to disguise the fact that the legislation is designed to be a no-op. Ted Kaptchuk at Harvard Medical School and his colleagues found that placebos can work even when you know they're fakes (PLoS One, 2010).
Placebo legislation will solve the dilemma of government needing to be seen to address cybersecurity. but not doing anything that will make matters worse. In fact, this may exactly what one currently proposed Bill on the matter (H.R. 3674) may end up achieving, given that it seems to be largely focused on establishing best practices, and facilitating information sharing.
In his introduction to the meeting, Dean Phil Weiser of the CU Law School paraphrased Ed Felten’s observation about network neutrality: that the best thing government could do was to threaten to act, but not in fact legislate. I believe he was referring to the conclusion of Felten’s Nuts and Bolts of Network Neutrality (2006):
“There is a good policy argument in favor of doing nothing and letting the situation develop further. The present situation, with the network neutrality issue on the table in Washington but no rules yet adopted, is in many ways ideal. ISPs, knowing that discriminating now would make regulation seem more necessary, are on their best behavior; and with no rules yet adopted we don’t have to face the difficult issues of line-drawing and enforcement. Enacting strong regulation now would risk side-effects, and passing toothless regulation now would remove the threat of regulation. If it is possible to maintain the threat of regulation while leaving the issue unresolved, time will teach us more about what regulation, if any, is needed.”
The medical analogy was influenced by reading Deirdre K. Mulligan & Fred B. Schneider, Doctrine for Cybersecurity, 140 J. of Amer. Academy of Arts & Sci. 70, 72-73 (2011). Mulligan & Schneider analogize cybersecurity to public health.
Another stimulus was Bruce Schneier’s 2007 essay, In Praise of Security Theater.
I’ve also been inspired by New Scientist’s excellent coverage of the placebo (and nocebo) effect over the years.