Larry Downes: If It Ain't Broke… - ' Looking to the Private '

But when the final version was issued, in February 2003, nearly all the concrete recommendations were gone, replaced by a passive strategy in which the government would "investigate," "encourage" and "promote" the market forces that, in turn, were expected to generate private-sector solutions to secure cyberspace. As the final report put it with unusual candor, "[F]ederal regulation will not become a primary means of securing cyberspace. Broad regulations mandating how all corporations must configure their information systems could divert more successful efforts by creating a lowest-common denominator approach . . . which evolving technology would quickly marginalize."

Two things happened between the initial draft and the final report that, I think, explain the change of tone. Most important was the creation of the Department of Homeland Security, which was given the task of implementing any recommendations that came out of the report. The second, quite simply, was the passage of time. The draft report was written in the immediate aftermath of Sept. 11, when the momentum to do something, anything, to prevent future national trauma was strong. Indeed, the draft report was written by a task force made up of 20 senior members of various federal agencies, none of whom were likely to have to implement any of the report's recommendations.

The final report, and the subsequent lethargy of the DHS, reflect what is fundamentally a conservative view of government: Don't get involved until it's clear the market has failed. To quote again from the final report, "Externally, a government role in cybersecurity is warranted in cases where high transaction costs or legal barriers lead to significant coordination problems; cases in which governments operate in the absence of private sector forces; resolution of incentive problems that lead to under provisioning of critical shared resources; and raising awareness."

Well, guess what? I agree. For one thing, the Internet is not like other national infrastructures. Unlike highways, the Internet is not built and operated by government entities. Unlike public utilities, such as the electric grid and the water supply, the Internet is not heavily supervised, inspected or controlled by regulators. At its core, the Internet is a private infrastructure, which owes its remarkable success, spread and constantly improving price/performance to the fact that it is in some sense a reflection of "market forces" at their purest—an infrastructure of profoundly low, and always dropping, transaction costs.

Our best defense against a catastrophic loss of Internet access is not a less supine DHS—perhaps one under a Democratic administration and Congress—but the Internet itself. Its decentralized design, full of the kind of checks and balances that make democracies work, is far more capable of withstanding natural disaster or terrorist attack than anything all the agencies and task forces and public/private partnerships in Washington could ever come up with. As the GAO report notes, since the creation of the DHS, the Internet has withstood a Baltimore tunnel fire in 2001 that burned key fiber-optic cables, the destruction caused by Hurricane Katrina, and coordinated attacks from the Code Red and Slammer worms. In all these instances there were local disruptions, but most Internet users weren't even aware of the damage. And the DHS played no part in the recovery.

So rather than wait for the DHS to develop broad solutions to Internet security on both large and small scales, and rather than appropriate more funds for the agency to pretend that's what it's doing, we should acknowledge that we don't really need a public/private partnership at all. We have a mostly functioning market of backbone providers, ISPs and Internet security companies, who work with corporate and private customers to eliminate the most obvious risks of failure and damage. Whether by design or government ineptitude, that's pretty much the system that's been in place since before Sept. 11, and it's worked pretty well. If we leave it alone, it will likely continue to work well for a long time to come.

Okay, so the federal government shouldn't be responsible for securing the Internet. But you'd think its employees could at least learn to turn on the Windows feature that requires a password before booting up a laptop.