November 19, 2018
Cyberattacks could potentially disrupt U.S. infrastructure, from the electric grid to the financial system. In July, the Department of Homeland Security reported that Russian hackers gained access to the control rooms of electric utilities. Now, analysts and policymakers are debating the best way to protect our critical infrastructure. While many believe that federal and state government regulation, funding and oversight are necessary, others argue this tack may actually cause harm and we should consider alternative approaches.
The Wall Street Journal reports that, at the University of Maryland, the Center for Cybersecurity assistant director Richard Forno, who is also director of the graduate cybersecurity program, advocates government involvement, whereas, at George Mason University, Mercatus Center program manager Anne Hobson argues for “the development of targeted, sector-specific solutions.”
The argument for government intervention notes that, although “industry cooperation on cybersecurity standards, best practices and information sharing are helpful in fostering stronger infrastructure security on a daily basis,” the industry might not be able to “handle the realities of protecting America’s critical infrastructures without some degree of federal and state government regulation and oversight.” That’s because public companies have a “primary responsibility to their shareholders and not the general public.”
The advocates of government involvement point to the 2008 financial crisis as “one example where industry self-policing failed with catastrophic results.” They admit that government regulation can, “and frequently does, create more problems than it purports to solve,” so “light touch” regulations should be “a set of common cybersecurity standards, perhaps based on accepted international criteria like the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or the European General Data Protection Regulation,” or the international ISO 27001 information-security standard.
Those opposed to government regulars respond that, “one-size-fits-all requirements are bound to be vague or outdated,” adding that “codified requirements can become inflexible in the quickly evolving technological sphere.” They also note that, “critical-infrastructure facilities aren’t equally vulnerable to cyberthreats because they don’t rely equally on digital technologies, which would mean that, “mandatory cybersecurity requirements could be inadequate for some sectors and needlessly onerous for others.”
Such regulations could “foster a false sense of security that blinds management to the need to invest in improved defenses against emerging vulnerabilities.” They also point out that, “efforts spent hardening current systems can take away from the development of a newer, more resilient system,” and that government cybersecurity regulations “would duplicate existing federal efforts,” such as NIST guidelines.
This group believes that, “the best way forward is for government to support an institutional environment that makes it worthwhile for companies and industries to self-regulate.” Along with that, companies that have been hacked, such as Equifax should “bear the full cost of a data breach so that they prioritize cybersecurity.”