Should the Government Make Cybersecurity Mandatory?
The heart of U.S. national cybersecurity policy is a reliance on voluntary measures and public-private partnerships for defending the nation's critical infrastructure.
In yesterday's Washington Post, President Obama's senior counterterrorism adviser, John Brennan, made the case again for protecting this critical infrastructure - power plants, refineries, transportation systems and water treatment centers - through better computer network security.
But what really ought to raise eyebrows is his stated opposition to the strictly voluntary approach that has been the hallmark of cybersecurity policy since before 9/11. He writes, "A voluntary system of cybersecurity compliance by critical infrastructure companies is a risk that the American people cannot afford to take".
This echoes the principles in the newly released Cybersecurity Act of 2012, which has bipartisan sponsorship.
The specifics of how it would work would be that the Federal Government would set minimum cybersecurity performance standards - after garnering industry input - and companies who work on or operate such infrastructure would be required to meet them. Those companies who fall short will be "directed" to tighten up their cybersecurity practices. Exactly how they would do so — for example, behind a firewall or a stand-alone network — would be up to the company.
A few problems. First, there's no mention of what the penalties would be for those companies who fail to "tighten up" their cybersecurity practices after not meeting the standards. How punitive would they really be? Second, who exactly would fall under the regulatory jurisdiction of these standards? Defining what constitutes a "critical" cyber asset is extremely problematic and ripe for playing political favoritism. For instance, would only large corporations be subject to the mandatory requirements? How about small businesses or non-profit organizations or individual website operators, all of whom typically lack the resources to deploy top-of-the-line cybersecurity measures?
If the Federal government wants to make certain cybersecurity practices mandatory, these issues all need to be explicitly clarified. Otherwise, the mandate could potentially serve as an existential burden to smaller businesses and websites.
I'm all for beefing up national cybersecurity, and not necessarily against mandatory practices to serve that end. All I'm saying is that the policy, as currently written, needs a far greater dose of transparency.