Rethinking the Cybersecurity Equation
By: Stephen Recca, M.A.
Legislative attempts to gain a measure of control over the burgeoning issue of cybersecurity are causing considerable angst among policymakers, special interest groups, the media, and experts of every stripe.
With a focus on the furthest-along of various bills, the House-passed Cyber Intelligence Sharing and Protection Act, the cybersecurity debate centers around claims ranging from “The bills are too lenient on privacy.” to “The bills are too severe.” and “They place an undue burden on industry.” to “They don’t place enough responsibility with industry.”
Amid the debates, nothing is accomplished.
The reality is, it is premature to even attempt to legislate cybersecurity at this stage. We have neglected the first and essential part of the equation: developing a coherent policy framework that reflects the nuances of this fast-moving field. Once that is accomplished, then it will be time for legislators to introduce the regulatory and legal structure to govern it.
Policy should not be developed unilaterally. It requires a broad synchronization of thinking by the best minds in government, industry, and academia. A critical starting point is achieving some modicum of balance between privacy and security.
And that is where we continue to stumble.
In finding that balance, an issue lies in how we assess risk and how much risk we’re willing to assume. And this is a politically charged issue for any administration; much less in the currently-polarized Washington environment. No president wants to say, “You, John Q. Public, and you, Big Business, must both assume some level of risk in all this.”
It is impossible to protect against every sort of cyber-attack. Like it or not, we must all assume some level of risk to ensure we continue our American way of life. In business, some tolerance for risk is assumed. However, in the public sector, there is less tolerance. This resistance to risk causes our legislative efforts to fall short.
We need to take a hard look at our cybersecurity policy and ensure those that that frame it are the best minds private and public sectors can bring to the table. Those leaders need to identify the particular cybersecurity issues that can and cannot be solved legislatively. Further, the balance between privacy and security must be determined from the basis of a realistic evaluation of the risk scenario.
The cyber realm is a fast-moving field. Policymakers don’t really seem to understand it. Security experts are more attuned to its nuances. What’s missing is thoughtful leadership in cybersecurity policy – those knowledgeable in technical, strategic and political aspects across the government and the private sectors. America needs to be thoughtful about the inclusive process by which we develop and adjust our cybersecurity policy; and arm it legislatively in a way that demonstrates a national approach in balancing security and privacy. As the global leader in information sciences, the United States is responsible for establishing the standard with our next actions.
Explore legislative action involving cybersecurity, or read the open letter to Congress drafted by CTU’s University Director of Homeland Security, Bob Lally, with fellow leaders.