• The Heritage Network
    • Resize:
    • A
    • A
    • A
  • Donate
  • Cybersecurity: Government Regulations Can’t Keep Up

    Newscom

    Newscom

    For the first time since 2005, the U.S. National Institute of Standards and Technology (NIST) has revised the federal cybersecurity standards. Since the last update, flash memory, Wi-Fi, smartphones, microchips, and social media have burst onto the scene.

    Why has NIST not updated the federal cybersecurity standards much sooner? Because regulation moves about as quickly as cold molasses. Writing regulations takes 24–36 months, while the processing power of computers doubles every 18–24 months. This means that by the time a regulation is implemented, it’s already outdated.

    Nonetheless, the current cybersecurity regime in D.C. is regulation heavy. On February 14, President Obama issued an executive order (EO) on cybersecurity that, although it took some steps to promote information sharing, mandated a new set of regulations—which NIST was put in charge of.

    Between May and November 2012, the federal government has suffered 13 cybersecurity breaches and failures. Clearly the government’s current method isn’t working.

    Instead, the government needs to harness the power of the private sector, which is adaptable and innovative in ways that a federal government slowed by bureaucracy simply is not. Cyber legislation that incorporates seven non-regulatory elements will enhance the U.S.’s cybersecurity.

    One of these elements is information sharing. If companies can share cyber threat and cybersecurity information among themselves and with the government, then the U.S. cyber community as a whole will be better protected. However, there are a few things that need to take place before the information can flow freely.

    First, information sharing should be effectively enabled but not mandated. This means revising outdated laws and establishing a new structure to ensure rapid sharing between the private sector and the government. This structure should be nimble and thus should not be housed within any government entity. Instead, information sharing should take place through a public–private partnership organization that includes representatives from government, industry, and privacy groups—similar to the way the Internet is currently governed.

    Second, companies sharing information about cyber threats, vulnerabilities, and breaches need strong legal protections from baseless lawsuits. If information sharing is going to take place, companies need to be protected, not punished.

    Congress should include these elements, among others, in whatever legislation it ultimately creates. Updating regulations every eight years is simply not an effective way to maintain our nation’s cybersecurity.

    Sarah Friesen is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.

    Posted in Security [slideshow_deploy]

    Comments are closed.

    Comments are subject to approval and moderation. We remind everyone that The Heritage Foundation promotes a civil society where ideas and debate flourish. Please be respectful of each other and the subjects of any criticism. While we may not always agree on policy, we should all agree that being appropriately informed is everyone's intention visiting this site. Profanity, lewdness, personal attacks, and other forms of incivility will not be tolerated. Please keep your thoughts brief and avoid ALL CAPS. While we respect your first amendment rights, we are obligated to our readers to maintain these standards. Thanks for joining the conversation.

    Big Government Is NOT the Answer

    Your tax dollars are being spent on programs that we really don't need.

    I Agree I Disagree ×

    Get Heritage In Your Inbox — FREE!

    Heritage Foundation e-mails keep you updated on the ongoing policy battles in Washington and around the country.

    ×