Analysis & Opinions - Inkstick
Reframing the Debate on Cybersecurity Regulations
Along with focusing on public-private collaboration, the US needs a new narrative on cybersecurity mandates.
In February 2012, the first significant attempt to set mandatory cybersecurity requirements and response plans for critical infrastructure was introduced in Congress. Unfortunately, it was watered down to voluntary standards and failed in the Senate. Opponents of the bill cited fears of overburdening regulations on companies and warnings of over-simplistic box-checking and minimum compliance. Business groups championed the narrative of big government to ensure the bill’s demise — and that narrative persists to this day.
Since then, the threat landscape has continued to evolve, so much so that our nation has suffered disruptive and deadly cyberattacks, signaling that the system is stressed and the warning lights are blinking. As a result, the Biden administration has issued emergency security directives for pipelines and launched an initiative to address water and wastewater cybersecurity, both of which are expected to garner significant pushback from their respective industries. Still, we’ve come no closer to mandating cybersecurity standards for the breadth of our critical infrastructure by Congress.
As the COVID-19 pandemic and climate change portend, we no longer find ourselves in a time of rare or infrequent disasters. Rather, we must expect and plan for these disasters, including living with them. Cyberattacks will continue and grow in intensity, frequency, and sophistication. To deal with them, we must reframe the debate on regulation legislation from discussions about burdens on the private sector and the reach of big government to one that demands pragmatic protections and consequence planning regardless of the likelihood of a breach.
WHERE WE’RE STUCK
Our nation is currently stuck in a debate about how to protect the public from cyberattacks. This stems from the design of US legal and economic systems and ownership and use of the networks that comprise the Internet. More resources are freeing up to help secure our critical infrastructure, especially at the state and local levels. But in the absence of mandates, the market hasn’t forced security adoption or preparedness across the board as hoped. While the private sector arguably has equities regarding market competition and corporate liability (which are genuine issues to consider), does such a chasm exist when considering the public safety consequences of a breach?
Want to Read More?
The full text of this publication is available via Inkstick.
For more information on this publication:
Belfer Communications Office
For Academic Citation:
Kayyem, Juliette and Lauren Zabierek .“Reframing the Debate on Cybersecurity Regulations.” Inkstick, July 17, 2022.
The Authors
Juliette Kayyem
- Member of the Board, Belfer Center
- Belfer Senior Lecturer in International Security, Harvard Kennedy School
- Faculty Director, Homeland Security Project
- Faculty Affiliate, Middle East Initiative
Lauren Zabierek
- Former Executive Director, Cyber Project
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions
- WIRED
Nervous About ChatGPT? Try ChatGPT With a Hammer
Analysis & Opinions
- Georgetown Journal of International Affairs
GPTs, Software Engineering, and a New Age of Hacking
Newspaper Article
- Harvard Gazette
Lessons for Today's Cold War 2.0 with Russia, China
In the Spotlight
Most Viewed
Analysis & Opinions
- The Sunday Times
China is Using Every Trick for World Domination
Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It
Journal Article
- Research Policy
The Relationship Between Science and Technology
In February 2012, the first significant attempt to set mandatory cybersecurity requirements and response plans for critical infrastructure was introduced in Congress. Unfortunately, it was watered down to voluntary standards and failed in the Senate. Opponents of the bill cited fears of overburdening regulations on companies and warnings of over-simplistic box-checking and minimum compliance. Business groups championed the narrative of big government to ensure the bill’s demise — and that narrative persists to this day.
Since then, the threat landscape has continued to evolve, so much so that our nation has suffered disruptive and deadly cyberattacks, signaling that the system is stressed and the warning lights are blinking. As a result, the Biden administration has issued emergency security directives for pipelines and launched an initiative to address water and wastewater cybersecurity, both of which are expected to garner significant pushback from their respective industries. Still, we’ve come no closer to mandating cybersecurity standards for the breadth of our critical infrastructure by Congress.
As the COVID-19 pandemic and climate change portend, we no longer find ourselves in a time of rare or infrequent disasters. Rather, we must expect and plan for these disasters, including living with them. Cyberattacks will continue and grow in intensity, frequency, and sophistication. To deal with them, we must reframe the debate on regulation legislation from discussions about burdens on the private sector and the reach of big government to one that demands pragmatic protections and consequence planning regardless of the likelihood of a breach.
WHERE WE’RE STUCK
Our nation is currently stuck in a debate about how to protect the public from cyberattacks. This stems from the design of US legal and economic systems and ownership and use of the networks that comprise the Internet. More resources are freeing up to help secure our critical infrastructure, especially at the state and local levels. But in the absence of mandates, the market hasn’t forced security adoption or preparedness across the board as hoped. While the private sector arguably has equities regarding market competition and corporate liability (which are genuine issues to consider), does such a chasm exist when considering the public safety consequences of a breach?
Want to Read More?
The full text of this publication is available via Inkstick.The Authors
Juliette Kayyem
- Member of the Board, Belfer Center
- Belfer Senior Lecturer in International Security, Harvard Kennedy School
- Faculty Director, Homeland Security Project
- Faculty Affiliate, Middle East Initiative
Lauren Zabierek
- Former Executive Director, Cyber Project
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions - WIRED
Nervous About ChatGPT? Try ChatGPT With a Hammer
Analysis & Opinions - Georgetown Journal of International Affairs
GPTs, Software Engineering, and a New Age of Hacking
Newspaper Article - Harvard Gazette
Lessons for Today's Cold War 2.0 with Russia, China
In the Spotlight
Most Viewed
Analysis & Opinions - The Sunday Times
China is Using Every Trick for World Domination
Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It
Journal Article - Research Policy
The Relationship Between Science and Technology
