Time to Regulate Internet Security?

James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, and one of Washington's more respected cybersecurity experts, is on the schedule to give testimony Tuesday afternoon at the Senate Commerce, Science and Transportation Committee. The panel's topic: "Cybersecurity: Next Steps to Protect Our Critical Infrastructure." The Cybersecurity Act of 2009 will be a topic of conversation.

According to a copy of his testimony, Lewis will call for more government regulation of the Internet to improve cybersecurity. From his testimony:

Like other new technologies in the past - airplanes, cars, steam engines - the appeal and the benefits are so great that we have rushed to adopt the Internet despite serious safety problems. . . . For those earlier technologies, safety came about through innovation driven by government mandates, and by agreements among nations. The same process of development is necessary to secure cyberspace. The Cybersecurity Act of 2009 could play a vital role in this improvement.

This will not be an easy task. The United States does not like to deal with market failure. This has been true since the earliest days of the republic. Steam engines, although notoriously unsafe, had to wait forty years until a series of savage accidents costing hundreds of live led Congress to impose safety regulations. Automobile safety rules took more than half a century and initially faced strong opposition from manufacturers.

. . . Just as cars were not built to be safe until government pressure changed auto manufacturers' behavior, cyberspace will not be secure until government forces improvement. Twelve years of reliance on voluntary efforts and self-regulation have put us in an untenable situation. Some may argue that a move away from the market or a greater emphasis on security or a larger role for government will damage innovation in cyberspace. This argument is in part a reflection of competition among various bureaucracies, advanced to protect turf, but . . . also reflects a misunderstanding of the nature of innovation. There are grounds to be concerned about the ability of the U.S. to innovate when compared to other nations, but the real obstacles are a weak education system, poorly designed tax policies, damaging immigration rules, and mis-investment that makes it hard to develop new technologies and competitors. Removing these obstacles would be politically difficult and face strong opposition. It is easier to insist instead that keeping the Internet open and anonymous or bringing broadband to undeserving areas will somehow generate growth. Greater security is more likely to increase innovation, by reducing the loss of intellectual property and by increasing demand for more valuable internet services.

What may that regulation look like? Lewis plans to say it will be:

a broad rethinking of American law and policy, and will require adapting to the technologies we now depend on. It will need new kinds of international agreements, new standards and rules for industry, and new approaches to the professionalization of those who operate networks. This is no small task but, judging from experience, it is inevitable.