Journal Article - IEEE Security & Privacy

Regulating Cybersecurity: Institutional Learning or a Lesson in Futility?

| November-December 2014


On 22 November 2013, the Federal Energy Regulatory Commission approved the latest version of mandatory cybersecurity regulations for the bulk electric system—known as Critical Infrastructure Protection (CIP) Reliability Standards. The CIP standards are relatively unique: they are developed through an unusual model of industry-led regulation that places industry, and not federal regulators, at the center of regulatory design and enforcement. The CIP regulations have received a significant amount of criticism. Critics argue that the regulations are incomplete at best and irreparably flawed at worst. The author examines the lessons we can learn from the CIP standards and poses a provocative question: Are the regulations actually a secret success?

Continue reading (log in may be required):

For more information on this publication: Please contact Science, Technology, and Public Policy
For Academic Citation: Ellis, Ryan. Regulating Cybersecurity: Institutional Learning or a Lesson in Futility?.” IEEE Security & Privacy, vol. 12. no. 6. (November-December 2014):