For those who prefer a brief summary, or just like watching stuff on their computer, here is the video of my November Cato Monetary Conference presentation.
Cato at Liberty
Cato at Liberty
Email Signup
Sign up to have blog posts delivered straight to your inbox!
Topics
Soviet-Style Cybersecurity Regulation
Reading over the cybersecurity legislative package recently introduced in the Senate is like reading a Soviet planning document. One of its fundamental flaws, if passed, would be its centralizing and deadening effect on society’s responses to the many and varied problems that are poorly captured by the word “cybersecurity.”
But I’m most struck by how, at every turn, this bill strains to release cybersecurity regulators—and their regulated entities—from the bonds of law. The Department of Homeland Security could commandeer private infrastructure into its regulatory regime simply by naming it “covered critical infrastructure.” DHS and a panel of courtesan institutes and councils would develop the regulatory regime outside of ordinary administrative processes. And—worst, perhaps—regulated entities would be insulated from ordinary legal liability if they were in compliance with government dictates. Regulatory compliance could start to usurp protection of the public as a corporate priority.
The bill retains privacy-threatening information-sharing language that I critiqued in no uncertain terms last week (Title VII), though the language has changed. (I have yet to analyze what effect those changes have.)
The news for Kremlin Beltway-watchers, of course, is that the Department of Homeland Security has won the upper-hand in the turf battle. (That’s the upshot of Title III of the bill.) It’s been a clever gambit of Washington’s to make the debate which agency should handle cybersecurity, rather than asking what the government’s role is and what it can actually contribute. Is it a small consolation that it’s a civilian security agency that gets to oversee Internet security for us, and not the military? None-of-the-above would have been the best choice of all.
Ah, but the government has access to secret information that nobody else does, doesn’t it? Don’t be so sure. Secrecy is a claim to authority that I reject. Many swoon to secrecy, assuming the government has 1) special information that is 2) actually helpful. I interpret secrecy as a failure to put facts into evidence. My assumption is the one consistent with accountable government and constitutional liberty. But we’re doing Soviet-style cybersecurity here, so let’s proceed.
Title I is the part of the bill that Sovietizes cybersecurity. It brings a welter of government agencies, boards, and institutes together with private-sector owners of government-deemed “critical infrastructure” to do sector-by-sector “cyber risk assessments” and to produce “cybersecurity performance requirements.” Companies would be penalized if they failed to certify to the government annually that they have “developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements.” Twenty-first century paperwork violations. But in exchange, critical infrastructure owners would be insulated from liability (sec. 105(e))—a neat corporatist trade-off.
How poorly tuned these security-by-committee processes are. In just 90 days, the bill requires a “top-level assessment” of “cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all critical infrastructure sectors” in order to guide the allocation of resources. That’s going to produce risk assessment with all the quality of a student term paper written overnight.
Though central planning is not the way to do cybersecurity at all, a serious risk assessment would take at least a year and it would be treated explicitly in the bill as a “final agency action” for purposes of judicial review under the Administrative Procedure Act. The likelihood of court review and reversal is the only thing that might cause this risk assessment to actually use a sound methodology. As it is, watch for it to be a political document that rehashes tired cyberslogans and anecdotes.
The same administrative rigor should be applied to other regulatory actions created by the bill, such as designations of “covered critical infrastructure,” for example. Amazingly, the bill requires no administrative law regularity (i.e., notice-and-comment rulemaking, agency methodology and decisions subject to court review) when the government designates private businesses as “covered critical infrastructure” (sec. 103), but if an owner of private infrastructure wants to contest those decisions, it does require administrative niceties (sec. 103(c)). In other words, the government can commandeer private businesses at whim. Getting your business out of the government’s maw will require leaden processes.
Hopefully, our courts will recognize that a “final agency action” has occurred at least when the Department of Homeland Security subjects privately owned infrastructure to special regulation, if not when it devises whatever plan or methodology to do so.
The same administrative defects exist in the section establishing “risk-based cybersecurity performance requirements.” The bill calls for the DHS and its courtesans to come up with these regulations without reference to administrative process (sec. 104). That’s what they are, though: regulations. Calling them “performance requirements” doesn’t make a damn bit of difference. When it came time to applying these regulatory requirements to regulated entities (sec. 105), then the DHS would “promulgate regulations.”
I can’t know what the authors of the bill are trying to achieve by bifurcating the content of the regulations with the application of the regulations to the private sector, but it seems intended to insulate the regulations from administrative procedures. It’s like the government saying that the menu is going to be made up outside of law—just the force-feeding is subject to administrative procedure. Hopefully, that won’t wash in the courts either.
This matters not only because the rule of law is an important abstraction. Methodical risk analsysis and methodical application of the law will tend to limit what things are deemed “covered critical infrastructure” and what the regulations on that infrastrtucture are. It will limit the number of things that fall within the privacy-threatening information sharing portion of the bill, too.
Outside of regular order, cybersecurity will tend to be flailing, spasmodic, political, and threatening to privacy and liberty. We should not want a system of Soviet-style regulatory dictates for that reason—and because it is unlikley to produce better cybersecurity.
The better systems for discovering and responding to cybersecurity risks are already in place. One is the system of profit and loss that companies enjoy or suffer when they succeed or fail to secure their assets. Another is common law liability, where failure to prevent harms to others produces legal liability and damage awards.
The resistance to regular legal processes in this bill is part and parcel of the stampede to regulate in the name of cybersecurity. It’s a move toward centralized regulatory command-and-control over large swaths of the economy through “cybersecurity.”
Related Tags
Local Governments Also To Blame For Housing Crisis
Most narratives of the financial-mortgage-housing crisis tend to focus on what are essentially demand-side factors. Whether it is federal mortgage subsidies, like Fannie Mae, or reduced interest rates via loose monetary policy, these policies increase the demand for housing by allowing, and encouraging, more buyers to enter the market. As I’ve written in more detail elsewhere, this narrative ignores the supply side of the market.
If housing supply could easily adjust to the increased demand that arises from other policy interventions, then prices would be unlikely to increase. In fact, if supply increased more than demand, we could see falling house prices, despite the various federal subsidies. The point is that for a price boom to develop, you need some sort of rigidity in supply (inelastic supply, as we economists would say).
So who has the most influence over housing supply? Local governments. A recent article in the January 2012 issue of the Journal of Urban Economics provides empirical evidence “that more restrictive residential land use regulations and geographic land constraints are linked to larger booms and busts in housing prices. The natural and man-made constraints also amplify price responses to the subprime mortgage credit expansion during the decade, leading to greater price increases in the boom and subsequently bigger losses.” A similar argument has been made by Cato scholar Randal O’Toole.
The lesson here is that if we want to avoid future property booms and busts, with their devastating impact on financial institutions, we also need to reform our local land use controls to allow for the more rapid response of supply to changes in demand. Again, it wasn’t a lack of regulation that caused the crisis, but too much regulation, particularly of the land/housing market.
Senator Harkin’s Definition of Success
At a Senate Agriculture Committee hearing earlier this week, Senator Tom Harkin (D‑Iowa), gave somewhat parenthetical comments (the main focus of the hearing was energy, rural development and crop insurance) on federal nutrition programs. Parenthetical they may have been, but I think they signify something important.
Harkin’s remarks on nutrition programs (or “food stamps” as they are more commonly, if less accurately, called) begin at about 52:30 and end at about 53:35 or so of this video. The part that most struck me was when the senator was describing a meeting he had with some Iowa consitutents. He had this to say [an official transcript is not yet available, but my trusty intern Ian Yamamoto listened to Harkin’s remarks and transcribed them for me]:
I just had my weekly breakfast this morning with Iowans. Had a big group there from the diocese of Davenport, a Catholic dioceses, and that’s what they wanted to talk about: was not backing off of our support for low-income people who are facing tough times now, with high rates of unemployment, that need the supplemental nutrition assistance program, or as it’s called, food stamps. And I thought one of the statements made there was kind of profound they said ya know, someone’s accusing this president of being a food stamp president. One of them said well he ought to wear that as a badge of honor…
OK, hold it right there. Really? The fact that millions of this nation’s people depend on the federal government to feed themselves is a badge of honor? Can we all agree, please, that regardless of how you feel about the federal government’s role and responsibility in providing a safety net—of food stamps or anything else—that this is not a situation to be proud of? According to Lisa Levenstein and Jennifer Mittelstadt, writing in the New York Times earlier this month, the food stamp program feeds 46 million Americans, about 15 percent of the U.S. population. But they point out that if everyone who was entitled to the program actually used it, we would see 20–25 percent of Americans on food stamps. They also, by the way, see the high numbers using food stamps as a good thing: “Conservatives are trying to smear Barack Obama by dubbing him the ‘food stamp president.’ He should not run from the label but embrace it…”
I don’t mean to pick on food stamps here—it’s not the policy hill on which I would choose to die. But I really do object when politicians or welfare advocates start celebrating dependency. We should all be talking about ways to cut the number of people needing food stamps in the first place.
Senator Harkin has form on this issue, by the way.
Trying to Do Everything, Doing Nothing Well
One of the perennial laments about American strategy offered by people like me is that Washington seems incapable of setting out clear priorities in its foreign policy. Everything is urgently important. The business section of today’s New York Times highlights the unfortunate results of this orientation.
You may have heard by now that the United States and other allied countries are currently trying to strangle the Iranian economy to the point where the regime in Tehran feels enough pain—or, more accurately, fears for its survival enough—that it is forced to comply with the preconditions for negotiations and come to the table. This is deemed a Very Important Objective by the Washington foreign-policy elite.
But what you may have forgotten is that the United States is currently undertaking a “pivot” away from the Near East and toward the region where Washington believes the future of international politics lies: the Asia-Pacific. In pursuit of that objective, the United States is currently trying to pull together a coalition of junior partners to help diplomatically and militarily surround China so as to hem it in, should it have any ambition to take charge of the security environment in its region. This, too, is a Very Important Objective.
And before you get ahead of yourself, don’t forget about Poor Little Georgia, which got a chunk of its territory annexed after it lost a war to Russia in 2008. As President Bush pointed out, America’s vital interests and its deepest beliefs are now one. And surely our deepest beliefs don’t involve leaving a flawed-but-promising democratic nation to the tender mercies of a predatory and authoritarian Moscow regime, do they? So let’s agree that keeping Georgia safe is a vital interest.
The problem with this approach is that it’s very hard to pursue these difficult objectives at once. As the Times piece points out, the sanctions coalition against Iran conflicts with a number of these other objectives:
[N]ew threats to Iranian oil flow could have at least one beneficiary: Russia…
For Russian oil companies like Rosneft and Lukoil and the Russian-British joint venture TNK-BP, the international tensions that began over Iran’s nuclear development program last autumn have meant a windfall. Analysts estimate that Iran jitters have added $5 to $15 a barrel to the global price of oil, which means an extra $35 million to $105 million a day for the Russian industry. And the taxes the Russian government has received from those sales have been a political windfall for Prime Minister Vladimir V. Putin as he campaigns to return as Russia’s president. The extra money has helped further subsidize domestic energy consumption, tamping down inflation.
“It’s good for Putin,” Mr. Mercer said. “In the United States, when oil prices go up, the president’s ratings go down. In Russia, it’s the opposite.”
So our Iran policy helps Russia and Putin, and that’s bad. But wait:
[A]t least one exemption [to the Iran sanctions] under discussion is meant specifically to limit the strategic benefits for Russia, which has been an outspoken critic of American and European strictures against Iran.
The United States and European Union are negotiating an exemption that would continue to provide the former Soviet state of Georgia—a nation that is now a Western ally—an alternative to Russian natural gas. The workaround allows payments to an Iranian company, Naftiran Intertrade, that has a share of the Shah Deniz natural gas field in the Caspian Sea.
The field, managed by the Western petroleum giant BP, is a supplier to Georgia. It is also a potential source for the proposed Nabucco pipeline, which would be managed by a consortium based in Vienna and backed by some Western European governments to create European competition with Gazprom. But the pipeline, seen as a maneuver to weaken Russia’s hand in European energy politics, has been stalled in the planning phase for years.
So we’re carving out an escape hatch for Iranian natural gas to get to Georgia, because we have friends in Tbilisi. Oh, and what about that pivot to Asia? Any trouble on that front?
China, meanwhile, is expected to circumvent the Iranian sanctions with tacit American approval by settling its oil purchases with Iran through banks that have no dealings in the United States. India, for its part, has negotiated to barter wheat for oil, or pay Iran directly in rupees.
Hmm. Oh, and what about our war in Afghanistan, which has already cost hundreds of billions of dollars, with the meter currently running somewhere between $8 and $10 billion per month? What’s going on over there? Maybe the Post has something on that:
ISLAMABAD, Pakistan — At one end of the flower-festooned table sat the president of Iran, Mahmoud Ahmadinejad, perhaps the world’s most relentless America basher.
At the other end sat Hamid Karzai, Afghanistan’s leader, who owes his nation’s survival to the United States.
And in the middle was Pakistani President Asif Ali Zardari, whose country’s complex relationship with Washington swings from pole to pole.
If there existed any conflict among the chief executives of the three neighboring Islamic nations, they certainly weren’t showing it Friday at the close of a trilateral summit in Pakistan’s capital. At a news conference Zardari hosted in his splendid official residence, the theme was fraternal unity as the trio pledged to work for peace and prosperity in a region raging with war and terrorism.
It’s almost as if there are tradeoffs among our objectives.
Related Tags
President Obama To Promote Possibly Limitless Corporate Welfare
The Wall Street Journal reports today that President Obama will formally announce his intention to let Beijing set U.S. export credit policy [$] at, fittingly enough, a Boeing plant. Boeing is obviously feeling a bit of political heat about the fact it benefits from almost half of Ex-Im’s disbursements, though, so they are pledging to commit more than $700 million to small business so they can better access credit. They’ve also stepped up their lobbying efforts, this time hiring a Republican-aligned lobbying firm to help them squash some mutinous feeling among Republican ranks.
Here’s Don Boudreaux’s take; spot-on, as usual.
Mandates in Practice: the Flap over Contraception Coverage
First, President Obama requires church-affiliated employers to offer insurance that covers contraception. When that’s properly challenged as a violation of religious liberty, the administration offers a supposed compromise that essentially shifts the burden to the insurance industry: the church-affiliated employer is off the hook, but its insurer has to provide coverage—and can’t charge for it. That’s right: private companies must provide free insurance for services that Obama’s HHS secretary has repeatedly called a major financial burden.
Government by fiat: to solve a First Amendment religious freedom problem that the president himself created, he orders private companies to offer contraception coverage at zero premium.
Then we’re treated to the nonsensical and unsupported assertion that insurers will save money in the long run because they won’t have to pay for pregnancies that contraception would have prevented. In other words, executives running a multi-billion dollar industry—until they were enlightened by HHS bureaucrats—were too stupid to realize that providing free contraception to everybody costs less than pregnancies by individuals who (a) had childbirth coverage, but (b) not contraception coverage, and (c) would have used contraception, but (d) didn’t, because (e) they couldn’t afford to. Of course, that’s just baloney. What’s really at work, as Charles Krauthammer has aptly characterized it, is breathtaking arrogation of power by the feds: a Washington, D.C. takeover of our private health care system.