The Logic of Cyber-Regulation Seen in Iranian Cyber-Attacks on U.S. Banks

By Jack Goldsmith
Wednesday, January 16, 2013, 6:31 AM

The WSJ reports that U.S. banks “are pressing for government action to block or squelch what Washington officials say is an intensifying Iranian campaign of cyberattacks against American financial institutions.”  The banks are asking the USG to use diplomatic pressure, block the attacks, or take down the computers launching them.  The WSJ adds: “The outcry is particularly significant from an industry that usually seeks to keep the government at arm's length.  Financial-services groups opposed a legislative effort last year to establish cybersecurity standards for key private-sector businesses, saying it could undermine protections already in place.”

Here we see in a nutshell the compelling case for U.S. government regulation of critical infrastructure in the cyber realm.  First, bank officials complained to the WSJ that defending their networks is very expensive, and added that “they can't be expected to fend off attacks from a foreign government.”  That’s right.  It is the federal government’s job to provide the public good of national defense, but providing national defense in this context means regulating the channels of cyber attack, just as the USG regulates the air, sky, and land channels through which an enemy might attack.  Private firms as a general matter lack the means, or the proper incentives, to provide optimal national defense.  Second, while the banks are deeply knowledgeable about cyberattacks and how to thwart them, the USG also has extraordinary, complimentary, and in some respects superior expertise and tools related to these issues.  That is one reason why the banks are now (as the WSJ reports) running for help to “the White House, National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, and Treasury Department.”

The logic of regulation and of public-private partnerships in this context is powerful – not just to thwart the relatively benign denial-of-service attacks the banks are now suffering, but also to thwart the more insidious advanced persistent threats that banks (and many other entities) face.  As I have emphasized, however, it is (obviously) critical to get the regulations right, for poor regulations can be costly and can make the problem worse.  I have outlined the reasons why I think the rejected Lieberman-Collins bill was a sensible first step, and I will not reiterate those reasons now.  But at a minimum, I hope the Iranian attacks on U.S. banks will take off the table the question whether regulation is appropriate, and allow us to focus instead on what forms of regulation are optimal.  The banks (and other private critical infrastructure operators) cannot both resist all forms of government regulatory involvement on the ground that they can handle the problem on their own, and beg the government for help every time something goes wrong.