Last week Rep Finkenauer (D,IA) introduced HR 5669,
the Strengthening and Enhancing Cybersecurity Usage to Reach Every (SECURE)
Small Business Act. This bill is very similar to S
3205 earlier this month. The differences between to two bills are mostly
formatting (definitions in §4 in this bill and §2 in the Senate version) and
minor changes in wording that are only of interest to lexicographers and
lawyers.
Moving Forward
Finkenauer is a member, as is one of her cosponsors {Rep
Joyce(R,PA)}, of the House Small Business Committee to which this bill was
assigned for consideration. This means that it is possible that this bill could
be considered in Committee. There may be some Republican opposition to this
bill because this type of marketplace could be considered to be an entrepreneurial
activity more suited to the public sector, but I suspect that the bill would
receive at least some bipartisan support. There could be enough bipartisan
support to allow this bill to be considered in the full House under the suspension
of the rules process.
Commentary
My comments on the Senate version of this bill equally apply
to this bill.
Today, I will rather address the proposed marketplace as an entrepreneurial
activity. It would seem to me that there are many online marketplaces where
owners are making money providing connections between sellers and buyers; eBay®
is the most obvious example. I am not sure that government agencies ought to be
in the business of directly competing with the private sector.
Of course, there does not appear to be a marketplace
currently available that fulfills the intent of either of these two bills. I
suspect that the reason is that it has just not occurred to anyone yet. So, is
this current lack of a commercial cybersecurity marketplace justification for
the establishment of a government run enterprise? I do not think so. Should
Congress consider some means of encouraging the formation of such a commercial enterprise?
To my mind, that is less clear.
The increasing rate of ransomware attacks and the ever-present
specter of data breaches in the commercial sector are certainly affecting small
businesses as well as large. The financial impact on small businesses probably
has more of a chilling impact on the success of those businesses than it does
on large concerns. The question is, is this impact on small businesses large enough
to allow for congressional action under the interstate commerce clause of the
constitution. If we look at just individual businesses, almost certainly not;
the failure of a single mom-and-pop enterprise has an inconsequential effect on
interstate commerce. If we look at small businesses in the aggregate, that
almost certainly changes the response.
The question then becomes, what should be the government’s
role in addressing the impact of cyberattacks on small businesses? Should the
government be regulating how individual small business protect their cyber
assets? Probably not; writing effective cybersecurity regulations that would
adequately address cybersecurity processes at all types of small businesses
would be nearly impossible and certainly the compliance costs would be high.
Should the government be responsible for smoothing the way
for small businesses and cybersecurity vendors to work together? Possibly, but
I think that providing a political appointee with the power to decide which
vendors are ‘legitimate’ {§2(c)(2) in this bill} is fraught with the potential
for the illegitimate use of political influence. No, such legitimacy issues are
much better dealt with in a marketplace by user feedback and mediation
processes.
No, I think that a government run marketplace like that proposed
in these two bills is probably a bad idea. I think that small businesses would
be better served by a commercial enterprise (obviously starting out as it’s own
small business). I think Congress would better serve the small business
community by figuring out how to encourage the establishment of such an enterprise
rather than have the Federal government run one.
Posts
No comments:
Post a Comment