On May 29, the Obama Administration released the results of its 60-day cyber review. The review correctly emphasized the vital role of the private sector in any future national cybersecurity strategy. Involving the private sector effectively, however, will require a liability protection regime--one that encourages industry to invest in cybertechnologies that protect against acts of cyberterrorism.
This can best be accomplished by the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, which provides liability protection for manufacturers whose products and services are used in combating terrorism. Congress should support the continuance and expansion of the SAFETY Act, and the Administration should ensure that the act's protections are used effectively in the cyber realm.
The Cybersecurity Review
President Obama ordered a 60-day review of the nation's cybersecurity efforts in February. Major cyberattacks, including one on the nation of Georgia, and a constant barrage of hackings on major financial institutions and retailers like T. J. Maxx and Marshalls (a hacker stole $45.7 million in credit and debit cards in 2007) have led the drive for a comprehensive assessment of cyber capabilities, challenges, and recommendations going forward.
The review highlights several major aspects of the national cyber realm, including the role of the federal government, a description of the nation's cyber problem, and recommendations for the future. The role of the private sector in helping to tackle the problem was also well documented in the review, including the need for more federal government-private sector partnerships.
The review further noted the need to continually invest and research new technologies to stop cyberattacks. Specifically, it called for the federal government to "harness the full benefits of technology> to address national economic needs and national security requirements." But the review emphasized the private sector's role in meeting this goal.
The Importance of the Private Sector in Cyber Protection
The private sector remains a pivotal partner in ensuring the safety of cyber infrastructure for the following reasons:
- Almost all cyber infrastructure is owned and maintained by the private sector;
- Cybertechnologies are used in almost every element of human life--from ATMs to medical technologies; and
- The private sector can research and develop new technologies at a faster rate than the federal government.
Even with the financial benefits of developing new cybertechnologies, the private sector will not invest in these new technologies if the benefits of doing so are outweighed by the risks. For example, companies are less likely to create and market a new product if a lawsuit stemming from it could destroy their entire business.
After the 1993 World Trade Center bombing, the New York Supreme Court upheld a decision that found the Port Authority of New York and New Jersey liable for the bombing. The court's reasoning: The Port Authority was aware of the threat and did not take reasonable steps to mitigate it. After 9/11, insurance premiums for terrorism-related risks skyrocketed, and a number of firms stopped offering terrorism insurance. This kind of liability and potentially devastating jury verdicts have made many companies hesitant to research, develop, and market anti-terrorism technologies.
But America simply cannot afford to let the private sector stop innovating. Recognizing this problem, Congress enacted the SAFETY Act, which lowered the liability risks of manufacturers that provide products and services used in combating terrorism by giving government-certified technologies protection from suit if the technology> failed or was involved in an act of terrorism. The SAFETY Act applies to a multitude of anti-terrorism technologies and includes those used to ward off cyberattacks.
How to Involve the Private Sector
The SAFETY Act continues to play an important role in ensuring that the U.S. does not lose its footing in the cyber domain. America needs companies to continue to develop technologies that keep the U.S. safer, both physically and virtually. As part of a future cyberstrategy, the Obama Administration should:
- Support the SAFETY Act. Over 200 companies have obtained SAFETY Act certification. The Department of Homeland Security (DHS) must continue to encourage new applicants for SAFETY Act certification. This approach needs to include aggressive marketing, especially to small businesses and specifically to cyber businesses. Neither DHS nor the private sector can assume that Congress will allow the SAFETY Act to stand over time, and it must be continually maintained.
- Go international. One area that is ripe for enhanced international cooperation is third-party liability for terrorist attacks. The SAFETY Act provides protections for "sellers" (manufacturers, distributors, and providers) for cases under the jurisdiction of U.S. courts. Terrorism, however, is a global threat, and homeland security is a global mission. From securing the border to protecting global supply chains, virtually every aspect of preventing terrorist attacks has an international dimension that requires the U.S. to work effectively with its friends and allies. Other countries should consider similar liability protection regimes to provide the industrial base around the world with incentives to develop and adopt the best tools to fight terrorism no matter where they are manufactured or employed. The U.S. should support these kinds of partnerships on a bilateral basis.
- Streamline the assessment process. DHS has gone to great lengths to make sure that the SAFETY Act process continues to be company-friendly. But the departments needs to ensure that the auditing program is not too burdensome and that it is reflective of business needs while verifying that only quality products obtain certification.
Support the Private Sector
The Obama Administration is right to place attention on America's cyber challenges. But it is vital to recognize the principal position of the private sector in ensuring cybersecurity. The Administration should be careful not to view the private sector as simply another partnership: It is a major player in the cyber domain whose efforts must be supported.
Jena Baker McNeill is Policy Analyst for Homeland Security in the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Kathryn and Shelby Cullom Davis Institute for International Studies, at The Heritage Foundation.