“Voluntary” Cybersecurity Standards: The Threat of Regulation Looms
Brett Ramsay /
Recently, Federal News Radio reported that the National Institute of Standards and Technology (NIST) is nearing completion of the nation’s first ever cybersecurity framework. Despite initial cooperation, the threat of mandatory regulations as a result of this framework is a sword hanging over the private sector.
The NIST framework is supposed to act as a voluntary program encouraging resilient cybersecurity through best practices, new security techniques, and gauges to help organizations better understand their own cybersecurity.
Despite the “voluntary” language of the framework, some industry leaders see in this document the creation of future government regulations. In fact, Sections 8–10 of President Obama’s executive order call for a regulatory system that will squash private initiative.
The ever-changing nature of cyberspace means the framework’s standards and best practices will be outdated within months if not weeks. Furthermore, this model cannot effectively enable critical cybersecurity tools such as information sharing, since only legislation can provide much-needed liability and Freedom of Information Act (FOIA) protections.
Instead of taking a standards-based approach to cyber defense, Congress should create an effective information-sharing environment while also avoiding costly regulatory burdens. This would allow close collaboration between private companies and government. Without this close cooperation, U.S. cyber defenses will become slow and rigid.
To enable this cooperation, Congress should act on seven elements providing companies with critical legal protections and making it easier to share information. Due to ambiguities in current law, companies are hesitant to share information on cybersecurity. Many companies fear the legal ramifications for disclosing information as well as losing competitive advantage through the FOIA requests of competitors.
Importantly, any information-sharing effort must be a two-way street between government and the private sector. As such, a central hub for sharing cybersecurity information should be created. A nonprofit organization modeled after the Internet Corporation for Assigned Names and Numbers or the Internet Society could fill this role. Such an organization would include industry representatives to protect the interests of the private sector and representatives from privacy organizations to make sure information sharing respects Americans’ civil liberties.
Instead of merely hoping that the NIST framework will follow a voluntary path, Congress should stop ceding authority to regulators and pursue policies that allow the private sphere to exert innovation and excellence without fearing future government regulations.
Brett Ramsay is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.