Freedom requires that one be safe and secure in one’s possessions—a world in which criminals steal or destroy others’ property at will is neither free nor secure. The same is true in cyberspace, where digital criminals have a great interest in stealing sensitive data or disrupting critical services.
And, with everything from military systems to smartphones now linked to the Internet, the number of bad actors seeking to attack or steal from those targets has increased dramatically. Hackers compromise, steal or destroy hundreds of billions of dollars in intellectual property and real money, as well as accessing critical military secrets from the United States, every year. Different estimates exist for the cost of cybercrime, but they seem to point to annual costs to the U.S. of $100 billion or more and to global costs that could reach $600 billion.
How can this problem be addressed? Early congressional proposals supported by the Obama administration would have imposed mandatory cybersecurity standards on key private sector industries. Mandatory standards have certain surface appeal: After all, if security standards in the private sector are not where they should be, shouldn’t the government step in and require better security? But this approach has several key flaws.
First, regulations will have a hard time keeping up with the rapidly changing environment. Cyber mandates may be able to improve cybersecurity by making companies able to address threats of the last generation, but they are ill prepared to address constantly changing threats that emerge from the current and future generations of technology.
Second, because of the delay inherent in government regulation, cybersecurity innovation suffers. Even if proposed regulatory proposals avoid proscribing specific solutions, they tend to focus on problems, threats and features of cyberspace that are specific to the past. As a result, companies will seek solutions that meet the outdated regulations at the expense of solutions for the current or foreseeable crop of problems. Thus, government regulation actually could weaken U.S. cybersecurity.
Third, regulations often create a culture of compliance. Regulations ultimately require businesses to do certain things or face penalties. When faced with such prospects, many companies will seek the lowest-cost way of meeting these standards, regardless of whether such actions will be the best decision for any given company. This compliance-over-security mindset opposes innovation and real engagement with the issue at hand.
As a result, regulations are a less-than-ideal way to encourage cost-effective investments in security. Instead, policymakers can reduce barriers to improved cybersecurity by using private-sector incentives.
One is the sharing of cybersecurity threat and vulnerability information among both private and public sector entities. By sharing information, different entities in the two sectors can be warned about likely attacks or other specific problems. No company or government agency knows everything about cybersecurity, which makes sharing information about threats and vulnerabilities a cost-effective way to raise cyber preparedness and awareness.
Information sharing can be seen as a kind of crowdsourcing function, akin to the popular “Waze” application for traffic data, by which users voluntarily report traffic conditions they experience. Just as Waze helps large numbers of individuals on their commute, information sharing in cyberspace helps businesses and government agencies avoid cybersecurity potholes and problems—and does so at little cost.
Information sharing is a relatively inexpensive way of improving cybersecurity, and it involves minimal sharing of personal information. Sensitive and personal data in emails and databases may be the target of cyberattacks, but information sharing is not aimed at using the personal content of those emails and databases since that information does nothing to support security. Instead, sharing information about threats, vulnerabilities and the source of attacks enhances and protects the privacy of Internet users. Congress is currently debating such policies.
Information sharing is not a silver bullet, but it is one step toward better cybersecurity. Together with other policies that draw upon the expertise of the private sector rather than dictate government solutions, the U.S. can advance security and freedom online.