Report: Cybersecurity regs would be tricky
Congressional Research Service says regulatory framework could build on Year 2000 model.
Some lawmakers, concerned about the nation’s vulnerability to cybercrime and possible cyberterrorism, are considering whether a larger federal government role in dealing with the problem is feasible.
But a recent study by the Congressional Research Service, which conducts public policy studies, suggests that congressional leaders will face significant challenges if they try to create a regulatory framework to strengthen the nation’s cyberdefenses.
The 57-page report concludes that at least four factors account for continuing challenges facing those interested in cyberspace security. On one hand, computer networks have many of the characteristics of a public commons, which the report says lessens the effectiveness of market mechanisms for improving cybersecurity. In that sense, cyberspace is like a public highway system.
On the other hand, the report cites the difficulty of obtaining cooperation from and coordinating all the parties whose activities affect cybersecurity, especially given cyberspace's global nature.
Third, little agreement exists on the best approaches to securing cyberspace.
Finally, the report cites the pace of technological change, which often outstrips attempts to develop effective regulatory standards.
Still, the question of whether a broad regulatory framework might be necessary to secure cyberspace remains a significant concern of the House Homeland Security Committee’s Economic Security, Infrastructure Protection and Cybersecurity Subcommittee's members, who requested the report.
Such a framework would necessarily be complex and would necessitate adopting mandatory standards and requiring certifications, conducting audits, improving training and education, and building security into government agencies’ and businesses’ enterprise architecture plans.
The report cites two possible models for greater government involvement in cybersecurity. One is the government response to the year 2000 computer crisis. The Securities and Exchange Commission set rules requiring companies to report on their Year 2000 preparedness, and Congress passed liability protections for companies that complied with the rules.
The other is a food safety or environmental regulation model in which federal agencies set regulations and use inspectors to monitor compliance. But the report raises questions about the feasibility of either one, especially the regulatory model, noting that “the highly interconnected, amorphous and constantly evolving nature of cyberspace might provide significant barriers to the creation of regulations that improve cybersecurity but do not impede technology development and entrepreneurship.”
Despite being inconclusive, the report lays out several legislative options, which include:
* Encouraging widespread adoption of cybersecurity standards and best practices.
* Using procurement practices to make cybersecurity a priority.
* Requiring mandatory reporting of certain kinds of security breaches.
* Providing mechanisms for product liability actions.
* Helping the insurance industry develop cybersecurity insurance.
* Strengthening federal cybersecurity programs.
The strongest option, according to the report, would be for Congress to provide the Homeland Security Department or another agency with regulatory authority over cyberspace industries.