Cybersecurity: More Government Regulation?
One of the side effects of a world interconnected through the Web is the growing prevalence of bad actors who have figured out ways to steal business secrets, raid consumer financial information, and wreak havoc on business networks. With cyber threats on the rise, one of the growing debates in Washington is how to better protect businesses and individuals from them.
The debate boils down to whether the federal government can best support cyber security through costly regulation or through collaborative information sharing with the private sector, which owns the vast majority of computer systems and assets.
Both sides are pushing their preferred legislative solution. The Cybersecurity Act of 2012 aims to regulate a range of U.S. infrastructure cyber networks at the expense of innovative approaches to address constantly changing cyber threats.
Jody Westby, CEO of Global Cyber Risk, says that “the Cybersecurity Act of 2012 actually would put a federal agent inside most of these businesses’ data centers and require assessments and reporting that could make Sarbanes-Oxley seem inexpensive.”
Opponents of this approach say it could actually hinder America’s cyber readiness. Regulators may not move fast enough to keep up with the dynamic cyber threat, and if businesses focus only on meeting government standards, they will be hard pressed to address new and changing cyber realities.
The business community, led by the Chamber, is rallying around a more sensible approach. It backs the House-backed Cyber Intelligence Sharing and Protection Act of 2011 (CISPA), which prizes collaboration over regulation. It would compel the government to provide businesses with specific threat information and incentivize the voluntary sharing of private sector information, safeguarding businesses against lawsuits, public disclosure, and regulations.
“Far from creating a ‘Wild West’ of cyber information sharing, the legislation would guard Americans’ privacy by prohibiting the government from compelling private companies to hand over information,” says Chamber President and CEO Tom Donohue. “And it would encourage companies to minimize information that they do share and make it anonymous. The central purpose of the bill is to ensure the security of a system or a network—not collect or monitor personal information.”
The cybersecurity debate in Washington is now focused in the Senate, where the bill closest resembling CISPA is the bipartisan Secure IT Act. In a letter to the bill’s co-authors, Sens. McCain (R-AZ) and Hutchinson (R-TX), Chamber Executive Vice President for Government Affairs Bruce Josten wrote: “The right path forward is for the public and private sectors to work together to solve challenges; to increase real-time cyber threat information sharing within and between the public and private sectors; and to foster the development and deployment of innovative cybersecurity technologies, which provide the best chance of staying ahead of rapidly evolving cyber threats.”
Says Westby, “American companies need help with cybercrime and cyber espionage, and they need to better understand how to respond to a catastrophic cyber situation. But they do not need the U.S. government inside their data centers or mandating costly security requirements that may be out of date or ineffective.”