Analysis & Opinions - Inkstick

Reframing the Debate on Cybersecurity Regulations

| July 17, 2022

Along with focusing on public-private collaboration, the US needs a new narrative on cybersecurity mandates.

In February 2012, the first significant attempt to set mandatory cybersecurity requirements and response plans for critical infrastructure was introduced in Congress. Unfortunately, it was watered down to voluntary standards and failed in the Senate. Opponents of the bill cited fears of overburdening regulations on companies and warnings of over-simplistic box-checking and minimum compliance. Business groups championed the narrative of big government to ensure the bill’s demise — and that narrative persists to this day.

Since then, the threat landscape has continued to evolve, so much so that our nation has suffered disruptive and deadly cyberattacks, signaling that the system is stressed and the warning lights are blinking. As a result, the Biden administration has issued emergency security directives for pipelines and launched an initiative to address water and wastewater cybersecurity, both of which are expected to garner significant pushback from their respective industries. Still, we’ve come no closer to mandating cybersecurity standards for the breadth of our critical infrastructure by Congress.

As the COVID-19 pandemic and climate change portend, we no longer find ourselves in a time of rare or infrequent disasters. Rather, we must expect and plan for these disasters, including living with them. Cyberattacks will continue and grow in intensity, frequency, and sophistication. To deal with them, we must reframe the debate on regulation legislation from discussions about burdens on the private sector and the reach of big government to one that demands pragmatic protections and consequence planning regardless of the likelihood of a breach.


Our nation is currently stuck in a debate about how to protect the public from cyberattacks. This stems from the design of US legal and economic systems and ownership and use of the networks that comprise the Internet. More resources are freeing up to help secure our critical infrastructure, especially at the state and local levels. But in the absence of mandates, the market hasn’t forced security adoption or preparedness across the board as hoped. While the private sector arguably has equities regarding market competition and corporate liability (which are genuine issues to consider), does such a chasm exist when considering the public safety consequences of a breach?

For more information on this publication: Belfer Communications Office
For Academic Citation: Kayyem, Juliette and Lauren Zabierek .“Reframing the Debate on Cybersecurity Regulations.” Inkstick, July 17, 2022.