Previous Politech message: "Defense hawks bash White House report, want new laws, regulations" http://www.politechbot.com/p-03999.html James Lewis was one of the two CSISers I quoted in that article as wanting more laws. He had said: "Cybersecurity is too tough a problem for a solely voluntary approach to fix. Companies will only change their behavior when there are both market forces and legislation that cover security failures. Until the U.S. has more than just voluntary solutions, we'll continue to see slow progress in improving cybersecurity." -Declan --- Date: Fri, 20 Sep 2002 10:16:33 -0400 From: "James Lewis" <JALewisat_private> To: <declanat_private> Subject: Defense Hawks bash, etc Declan: I actually think the National Strategy is very strong, but I question the heavy reliance on voluntary action and self-regulation. Politech readers might want to look at the section (460 words) from a draft report that I pasted below. It outlines ideas on regulation as an incentive for cybersecurity. Thanks, Jim Lewis *** In a perfect market, the private sector would purchase adequate security and firms would offer the products needed for it. This has not been the case. While some industry sectors (such as financial services) have moved to increase security, other sectors may not improve absent increased incentives. Despite arguments that market forces and the evolution of the IT industry will improve security voluntarily, we must ask if cybersecurity, as with health, environmental, or safety issues, requires further government intervention. Government intervention could include direct or indirect subsidies for cybersecurity spending, i.e. tax relief, R&D funding, or the use of Federal purchases to promote more secure products. It could also include reinsurance subsidies (the U.S. provides reinsurance for natural catastrophes) in exchange for insurers' adherence to cybersecurity standard such as ISO 17799. Continued exhortation by government officials for the private sector to voluntarily take action is a form of intervention that occasionally is effective. Governments can also use law and regulation as incentives to encourage certain behaviors. Legislation and regulation (or even the threat of legislation and regulation) will energize the private sector to move faster in cybersecurity. Regulation should avoid a heavy-handed, prescriptive approach and instead aim to increase transparency and assign responsibility, leaving it up to individuals as to how best to meet requirements. The Health Insurance Portability and Accountability Act of 1996 and the Gramm-Leach-Bliley Financial Reform Act, by creating responsibility for privacy (and consequently security), worked to increase awareness and demand for security products and are useful (but not perfect) models of this. While security is an ongoing problem and Y2K was a single event, Y2K may also be a model on how regulation can energize private sector behavior for cybersecurity. The primary function of government in Y2K was as an organizer and educator. The Y2K effort gathered and disseminated information, organized multinational networks, shared information on best practices and worked through public-private partnerships to raise awareness. However, regulatory action by the Securities and Exchange Commission and by banking regulators also played a galvanizing role in Y2K preparations. Companies had to show publicly and to their regulators that they had taken adequate steps to protect against Y2K disruption. Similar SEC requirements for companies to report the steps they are taking to protect themselves from cyber attack would improve network security. Internet policy problems challenge governments' ability to carry out their functions. Traditional governmental responses, such as prescriptive regulation, will not create cybersecurity, but neither will a reliance on self-regulation and voluntary action. One solution may be a new style of governance built on explicit public-private partnerships. Defining the scope of these partnerships and the responsibilities of each partner requires that we identifying places where the market response is weak as candidates for government action, and which government actions (if any) would be an appropriate response. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ Recent CNET News.com articles: http://news.search.com/search?q=declan CNET Radio 9:40 am ET weekdays: http://cnet.com/broadband/0-7227152.html -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Sep 20 2002 - 07:46:52 PDT