- The Foundry: Conservative Policy News from The Heritage Foundation - http://blog.heritage.org -

Cybersecurity: Government Regulations Can’t Keep Up

Posted By Sarah Friesen On May 10, 2013 @ 10:36 am In Security | Comments Disabled

Newscom [1]


For the first time since 2005 [2], the U.S. National Institute of Standards and Technology (NIST) has revised the federal cybersecurity standards. Since the last update, flash memory, Wi-Fi, smartphones, microchips, and social media have burst onto the scene.

Why has NIST not updated the federal cybersecurity standards much sooner? Because regulation moves about as quickly as cold molasses. Writing regulations takes 24–36 months, while the processing power of computers doubles every 18–24 months. This means that by the time a regulation is implemented, it’s already outdated.

Nonetheless, the current cybersecurity regime in D.C. is regulation heavy. On February 14, President Obama issued an executive order (EO) on cybersecurity [3] that, although it took some steps to promote information sharing, mandated a new set of regulations [4]—which NIST was put in charge of.

Between May and November 2012, the federal government has suffered 13 cybersecurity breaches and failures [5]. Clearly the government’s current method isn’t working.

Instead, the government needs to harness the power of the private sector, which is adaptable and innovative in ways that a federal government slowed by bureaucracy simply is not. Cyber legislation that incorporates seven non-regulatory elements [6] will enhance the U.S.’s cybersecurity.

One of these elements is information sharing. If companies can share cyber threat and cybersecurity information among themselves and with the government, then the U.S. cyber community as a whole will be better protected. However, there are a few things that need to take place [7] before the information can flow freely.

First, information sharing should be effectively enabled but not mandated. This means revising outdated laws and establishing a new structure to ensure rapid sharing between the private sector and the government. This structure should be nimble and thus should not be housed within any government entity. Instead, information sharing should take place through a public–private partnership organization that includes representatives from government, industry, and privacy groups—similar to the way the Internet [8] is currently governed [9].

Second, companies sharing information about cyber threats, vulnerabilities, and breaches need strong legal protections from baseless lawsuits. If information sharing is going to take place, companies need to be protected, not punished.

Congress should include these elements, among others [6], in whatever legislation it ultimately creates. Updating regulations every eight years [2] is simply not an effective way to maintain our nation’s cybersecurity.

Sarah Friesen is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here [10].

Article printed from The Foundry: Conservative Policy News from The Heritage Foundation: http://blog.heritage.org

URL to article: http://blog.heritage.org/2013/05/10/cybersecurity-government-regulations-cant-keep-up/

URLs in this post:

[1] Image: http://blog.heritage.org/wp-content/uploads/cybersecurity-120706.jpg

[2] first time since 2005: http://www.computerweekly.com/news/2240183045/NIST-revises-US-federal-cyber-security-standards

[3] executive order (EO) on cybersecurity: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

[4] mandated a new set of regulations: http://www.heritage.org/research/reports/2013/02/obama-s-cybersecurity-executive-order-falls-short

[5] 13 cybersecurity breaches and failures: http://www.heritage.org/research/reports/2012/11/cybersecurity-breaches-and-failures-in-the-us-government-continue

[6] seven non-regulatory elements: http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace

[7] a few things that need to take place: http://blog.heritage.org/2013/04/08/7-steps-to-solve-congressional-cyber-stalemate/

[8] the Internet: http://www.icann.org/en/about/welcome

[9] currently governed: http://www.internetsociety.org/who-we-are

[10] click here: http://www.heritage.org/about/departments/ylp.cfm

Copyright © 2011 The Heritage Foundation. All rights reserved.