Critical Perspectives: Cybersecurity Legislation

Karen EvansJeff GouldJeff Wright by Karen Evans, KE&T Partners
Jeff Gould, SafeGov.org
Jeff Wright, Aveshka, Inc.
Wednesday, March 21, 2012

In our Critical Perspectives series, SafeGov.org asks its experts to offer their views on critical public sector cloud issues.

This week's question: Congress is currently debating two conflicting visions for new cybersecurity legislation. One vision calls on the Department of Homeland Security to exercise close scrutiny and tight regulatory control over cybersecurity measures deployed by private industry in key sectors of the economy. The other vision promotes a looser regulatory approach that gives companies specific incentives to upgrade their cyber defenses and share information with each other and the government. Both camps agree that our critical infrastructure is vulnerable to cyber attack, but the division over how best to protect it is real. What action do you recommend that Congress take this year regarding the proposed cybersecurity bills?


By Jeff Gould

As a staunch free marketer, I would much prefer to see an approach to cybersecurity based on the incentive carrot (the McCain bill) rather than the regulatory stick (the Lieberman bill). Very detailed, intrusive regulations may sound like a good idea when first proposed. But when put into practice, they all too often turn out to be far less effective and more burdensome than their sponsors hoped. Think TSA. I suspect few Americans would argue that the TSA in its current form is the optimal approach to airport security (some might even say it is an expensive disaster that provides far less protection from future terrorist threats than we are entitled to expect).

I do worry that an incentive based approach will become an excuse for opportunistic carve-outs and exemptions granted to favored industries and companies. If incentives offered to private firms for sharing sensitive cybersecurity information with the government are to be effective, they must be strong incentives. In effect, government should make private industry a safe-harbor “offer it can’t refuse”: if you scrupulously report cybersecurity issues you detect in your organization, you will gain some degree of liability protection, but if you don’t… you’re on your own (cue the trial lawyers and angry shareholders with pitchforks).

I also strongly support General Hayden’s suggestion that we should let the cybersecurity specialists at the NSA off the bench and send them into the field. They are America’s A-team, and the old rule that “the best defense is a good offense” is eminently applicable in the new domain of cybersecurity.

By Karen Evans

While I generally agree with a free market approach, I also believe there is a larger responsibility on the government’s part to be good stewards of the tax payers’ dollars. We need clear and explicit rules and requirements to ensure that we are fully leveraging this $80 billion portfolio. Not having these requirements is gross mismanagement of a significant chunk of taxpayer dollars – plain and simple. Any industry that sells goods and services should be willing to stand behind their products as well as be responsible when and/if an intrusion happens. With no clear rules, there will be no accountability and ultimately, this state of play leaves us vulnerable as a nation. Ultimately, I am for a light touch regulatory approach that maintains private sector nimbleness and speed while also ensuring that there are proper regulations and rules in place, that do not stifle innovation.

For additional commentary, see the post by Jeff Wright, from the Civitas Group titledMove Cybersecurity Legislation Forward to Safeguard Government Information Networks

More information

Post a comment

Sign in to comment.

Not yet registered? Join the debate