Wednesday, January 29, 2020

HR 5669 Introduced – SBA Cybersecurity Marketplace


Last week Rep Finkenauer (D,IA) introduced HR 5669, the Strengthening and Enhancing Cybersecurity Usage to Reach Every (SECURE) Small Business Act. This bill is very similar to S 3205 earlier this month. The differences between to two bills are mostly formatting (definitions in §4 in this bill and §2 in the Senate version) and minor changes in wording that are only of interest to lexicographers and lawyers.

Moving Forward


Finkenauer is a member, as is one of her cosponsors {Rep Joyce(R,PA)}, of the House Small Business Committee to which this bill was assigned for consideration. This means that it is possible that this bill could be considered in Committee. There may be some Republican opposition to this bill because this type of marketplace could be considered to be an entrepreneurial activity more suited to the public sector, but I suspect that the bill would receive at least some bipartisan support. There could be enough bipartisan support to allow this bill to be considered in the full House under the suspension of the rules process.

Commentary


My comments on the Senate version of this bill equally apply to this bill.

Today, I will rather address the proposed marketplace as an entrepreneurial activity. It would seem to me that there are many online marketplaces where owners are making money providing connections between sellers and buyers; eBay® is the most obvious example. I am not sure that government agencies ought to be in the business of directly competing with the private sector.

Of course, there does not appear to be a marketplace currently available that fulfills the intent of either of these two bills. I suspect that the reason is that it has just not occurred to anyone yet. So, is this current lack of a commercial cybersecurity marketplace justification for the establishment of a government run enterprise? I do not think so. Should Congress consider some means of encouraging the formation of such a commercial enterprise? To my mind, that is less clear.

The increasing rate of ransomware attacks and the ever-present specter of data breaches in the commercial sector are certainly affecting small businesses as well as large. The financial impact on small businesses probably has more of a chilling impact on the success of those businesses than it does on large concerns. The question is, is this impact on small businesses large enough to allow for congressional action under the interstate commerce clause of the constitution. If we look at just individual businesses, almost certainly not; the failure of a single mom-and-pop enterprise has an inconsequential effect on interstate commerce. If we look at small businesses in the aggregate, that almost certainly changes the response.

The question then becomes, what should be the government’s role in addressing the impact of cyberattacks on small businesses? Should the government be regulating how individual small business protect their cyber assets? Probably not; writing effective cybersecurity regulations that would adequately address cybersecurity processes at all types of small businesses would be nearly impossible and certainly the compliance costs would be high.

Should the government be responsible for smoothing the way for small businesses and cybersecurity vendors to work together? Possibly, but I think that providing a political appointee with the power to decide which vendors are ‘legitimate’ {§2(c)(2) in this bill} is fraught with the potential for the illegitimate use of political influence. No, such legitimacy issues are much better dealt with in a marketplace by user feedback and mediation processes.

No, I think that a government run marketplace like that proposed in these two bills is probably a bad idea. I think that small businesses would be better served by a commercial enterprise (obviously starting out as it’s own small business). I think Congress would better serve the small business community by figuring out how to encourage the establishment of such an enterprise rather than have the Federal government run one.

No comments:

 
/* Use this with templates/template-twocol.html */