Indeed, it was because of disagreements over a regulatory approach that cybersecurity efforts failed in the last Congress. The new Congress should learn from the mistakes of the prior one and reject a regulatory approach to cybersecurity, instead favoring more adaptable solutions like strong information sharing.
The BRT report begins by correctly recognizing that neither the private sector nor the government can fully address U.S. cybersecurity threats alone. A collaborative approach that leverages the strengths and positions of both is the only approach worth pursuing. “To that end, the single most important element of an effective cybersecurity policy is information sharing,” states the new BRT report.
Enabling the public and private sector to share data on new threats or vulnerabilities will help organizations in both sectors know what to watch out for so that they can avoid or mitigate the most current cyber dangers. Information sharing adapts to the threats that are out there, allowing organizations to keep up with the rapidly changing cyber realm at little cost.
These advantages were overlooked by the President and some in the Senate in the last Congress. Instead of flexible and low-cost information sharing, some believe that more regulation is the answer to the U.S.’s cybersecurity woes. They are mistaken. As the BRT report points out, regulations create a culture of compliance. If all a company needs to do is check off a few boxes and then the government says they are secure, many businesses will check the boxes and nothing more, regardless of how secure they really are.
Even more concerning is that these regulations cannot keep up with the constant changes in cybersecurity. New viruses and new defenses are being developed every day, and since it would likely take the government two to three years to write cybersecurity regulations, these regulations would already be outdated the day they are published. These regulations would also involve substantial costs to businesses, but these costs can’t be measured accurately by Congress, because it would have to wait those two or three years until the regulations are actually published.
The BRT report reinforces what many have been saying about cybersecurity: Strong information sharing brings adaptable, low-cost, security-focused, and collaborative solutions, while regulations bring stagnant, costly, and compliance-focused rules. The choice is clear, and Congress should choose information sharing, not regulation.