It’s no secret that hackers can penetrate networks which deliver essential products and services. At the Los Angeles Times, Ken Dilanian writes:
The U.S. is vulnerable to a cyber attack, with its electrical grids, pipelines, chemical plants and other infrastructure designed without security in mind. Some say not enough is being done to protect the country.* * * *
The basic roadblocks are that the government lacks the authority to force industry to secure its networks and industry doesn’t have the incentive to do so on its own.
Not so fast.
Government itself played an important role in the design of the networks. Traditionally, most of them were and/or still are subject to pervasive government regulation designed to provide all consumers with comparable products and services at the lowest possible prices. Government has also generally limited the liability of common carriers for service disruptions.
Building encryption into these networks, disconnecting them from the public Internet, arming them with the capability to detect and eliminate threats, etc., is going to be expensive. These costs will not simply go away by empowering President Obama’s cyber-security “czar” with “real authority,” as Dilanian suggests.
If consumers do not appear to be be interested in paying higher prices for essential goods and services so they can be delivered over more secure networks, then private investors will not finance network security. If consumers are forced to pay higher prices, they will have less to spend on other things.
The challenge is for network providers to design successful products and services that justify greater network security, and this is not one of Washington’s core competencies. In some cases, outdated government regulations limit what they can do or how much they can charge.
We do not need a cyber-security dictator, however a cyber-security evangelist would be useful. One of the things this person could do is convince the President to initiate a regulatory review to ensure that federal, state and local regulation is fully compatible with cyber-security and submit appropriate recommendations for Congress where it is not.