Last week White House Chief cyber security coordinator Michael Daniel made the announcement that officials in the Obama Administration had determined that no new regulatory authority was required by way of legislation in order to enhance US cybersecurity, and the Administration would now seek to streamline regulatory frameworks in an effort to promote imrpoved security in the private sector.
Internet Security Alliance (ISA) President Larry Clinton, an advocate for market incentives to bolster security efforts over implementing punitive regulatory structures, said the Obama Administration’s decision was significant step toward establishing a sustainable system for enhanced security.
“Research has repeatedly shown that the number one problem with respect to improving cyber security in critical infrastructure is economic not technical. While others are still toying with antiquated regulatory models to address this issue, the Administration has charted a new and visionary course through the President’s 2013 Executive Order on cyber security and today’s announcement is another welcome step in the right direction,” Clinton said.
“The simple fact is that the adversaries, some of which are nation states, are too sophisticated and the technologies and threat vectors change too rapidly for the traditional regulatory model to cope with a dynamic issue like cyber security. We need to be as creative as the attackers and find more dynamic mechanisms to answer the threat and finding a way to use the market is probably the best alternative,” said Clinton.
The Internet Security Alliance (ISA) is a non-profit multi-sector trade association which provides thought leadership and public policy advocacy on cybersecurity issues, representing the interests of organizations in aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security, and technology.
Early in the Obama Administration, the ISA had been critical of the President’s support for punitive and fiscally daunting regulatory models such as the now defunct Lieberman-Collins bill of 2012, but with the Administration later changed its position in favor of a collaborative program between government and industry, referred to as the NIST Cybersecurity Framework, which instead seeks to identify effective cyber security standards and practices and promotes voluntary adoption through the use of market incentives.
This Administration’s new approach largely follows the model advocated by the ISA in its 2008 Cyber Security Social Contract, which is recognized as the first and most often cited source in the Administration’s Cyber Space Policy Review, the White House’s primary policy document on cybersecurity. While ISA praises the direction the White House has taken, it also calls for more aggressive action by the Administration.
“The White House should move aggressively to use its power to streamline regulations not for general deregulatory purposes but as a reward for good actors,” Clinton advised.
In addition, ISA called on the Administration to identify mechanisms to provide incentives for the adoption of the NIST Cybersecurity Framework, including better use of cyber insurance and providing liability relief, fast tracking technologies and patent approval processes for good actors, better government procurement processes.
“We need to be even more aggressive in developing these incentive mechanisms to address a vast and growing cyber threat,” said Clinton.