Not All Critical Infrastructure Is Created Equal

Any executive order creating new protections needs to weigh the potential consequences of disruption.

Earlier this week, Rep. Zoe Lofgren, D-Calif., released a letter she had sent to White House Cybersecurity Coordinator Michael Daniel urging the White House, as it considers issuing an Executive Order to regulate cybersecurity, to only focus on “genuinely” critical infrastructure.

Specifically, Rep. Lofgren says that the order should only include those systems that if disrupted, could cause “major economic disruption, the loss of thousands of lives, or severe degradation of national security.” She goes on to write that the letter should exclude “non-critical online services, such as social networking, search engines, and e-commerce networks.”

Common sense says that Rep. Lofgren’s approach is the right one. It doesn’t make sense for the White House to issue an Executive Order requiring agencies, especially during these tight budgetary times, to be conducting risk assessments and developing standards for my Facebook wall, Bing searches, and Amazon purchases or wish lists. I even wonder how such an order would look, especially given the constant changes and advances being made in those areas, as well as the emergence of new innovative sites and actors in those spaces.

That said, I have written before that Congress and the administration should be thinking about how to more effectively work with the private sector to secure each of the areas identified by Rep. Lofgren to ensure that consumer privacy and security are not compromised. While not rising to a national security level (yet), identity theft, intellectual property theft, and data breaches do threaten our economic security and need to be addressed in a comprehensive yet non-restrictive manner that doesn’t harm innovation and technology advancement. Rep. Lofgren acknowledges this by noting the need for a “transparent legislative process that affords technical experts and the public adequate opportunity for input.” Any effective effort will require the industry to lead in those areas, though the government could assist by providing critical intelligence and threat information in a timely manner.

As Congress and the Administration continue to grapple with cybersecurity for government and critical infrastructures in the national security arena, future discussions should consider the nexus between national security and economic security and how to construct a holistic approach to address both while also recognizing the inherent differences in how and why to protect our nation’s assets or, in an individual’s case, social networking likes and 140-word missives.