Critical infrastructure protection calls for carrots and sticks

Cybersecurity is an economic issue rather than a technical problem, and the best way for government to address it is to provide the private sector with economic incentives, said the Internet Security Alliance, a broad-based industry group.

Its position, while not wrong, is a bit one sided. Incentives are only one part of a solution.

We already have the tools to dramatically improve the security of our critical infrastructure, most of which is privately owned, but regulatory mandates are not effective in putting them in place, ISA said in a recently released report on implementing a cybersecurity strategy. The key is to move cybersecurity out of the information technology ghetto and into the business plan with a host of tax, liability and other financial incentives.

“Government’s primary role ought to be to encourage the investment required to implement the standards, practices and technologies that have already been shown to be effective in improving cybersecurity,” the report states. “A system of regulatory mandates applied to the broad and diverse private sector is unlikely to be effective in generating substantial improvements in private-sector cybersecurity."

That position is understandable. If you ask the donkey (no offense intended), he is going to tell you he prefers the carrot. But the driver will tell you that he loses control if you take away the stick.

The ISA proposal, which blends common-sense ideas with innovative ones, is based on a social contract model used by government and industry in the early 20th century to ensure universal availability of utilities such as telephone and electricity service. Universal service has been a successful program, but it is not a very accurate analog to cybersecurity.

Telephone and electricity were new services that were in the process of being rolled out to the nation 100 years ago, primarily through monopoly providers. Today’s digital information infrastructure already is widely deployed and now underlies much of our nation’s economy. The universal service model might be appropriate for extending services such as broadband Internet access to underserved areas, but securing existing infrastructure is a different problem.

Industry’s wariness of regulation is understandable. It can be heavy-handed, burdensome and ineffective. Doing something because it makes business sense would seem to be the better route. But what makes good business sense will vary from company to company, each of which has its own interests to serve. And a company’s interests are not the nation’s interests. A company serves its investors and stockholders. Its risk management decisions might make good sense for stockholders and still leave disturbing gaps in our nation’s cybersecurity.

If there are national interests at stake, government has an obligation to set baseline standards for industry to follow. Regulating without stifling can be a tricky business, especially in areas of technology that are changing rapidly and in which the regulators often have little expertise. But that does not mean that Congress or oversight agencies cannot or should not craft regulations that are technology-neutral, business-friendly and effective.

Doing that might not be an easy task, and effective oversight and enforcement of regulations might be even tougher. But it is the proper job of government.

ISA’s proposal is sensible and worth pursuing. It makes a good carrot. But let’s not forget the stick. It does not have to be punitive, but it is what makes the carrot effective.