In Silicon Valley startup culture, “cookie licking” is a derogatory phrase. A cookie licker stakes a claim to a project in a way that prevents anyone else from having it, despite not having the ability to immediately execute on the project. The licker wants to save the delicious opportunity despite being too full to eat it immediately.
Sadly, cookie licking also comes to mind when we see the regulatory sharks circling in emerging tech areas such as cryptocurrency, artificial intelligence, or cybersecurity. As a former federal cybercrime prosecutor, appointed Obama administration cyber commissioner, and corporate information security executive recently convicted of cyber-related crimes, I have seen this up close more than anyone.
Twenty-five years ago, when I was tasked with bringing federal enforcement actions to protect people on the internet, my peers and I figured out one thing really quickly: The internet is different from any other place where law enforcement is expected to protect people because most of the internet is operated and managed by the private sector. Keeping people safe on the internet requires the government to invest in public-private partnerships and set clear expectations for those private sector entities. Back then, we also had to rely on legal codes crafted by Congress long before the internet was a twinkle in Al Gore’s eye. The law was not sufficient then, and it isn’t now.
Regulation by enforcement not the answer
Indeed, decades later, Congress has done little to establish rules of the cyber road or even articulate which authorities should be our cyber cops. The executive branch may have little choice but to do what it is doing now: Establish expectations for the private sector through regulation by enforcement. This is not ideal for anyone because regulation by enforcement doesn’t give corporate actors clarity on the rules of the road and empowers regulators to jump into any area that seems sexy without the requisite foundations of expertise, resources, and expectations. It is particularly dangerous when it leads the private sector to become afraid to work closely with the government to keep people safe.
The growing adversarial relationship is fueled by another unfortunate reality: Most of the malicious criminals who hurt Americans over the internet do so from outside the United States, where too often our law enforcement authorities are incapable of bringing justice to bear against those intent on harming others. Often impotent against these external actors, to many people in the industry it seems that enforcement authorities have shifted their gaze to the private sector as the easiest way to demonstrate to the public that they care.