Cybersecurity regulation

Cybersecurity is the practice of protecting online networks, systems, and information from cyber attacks. Cybersecurity regulation involves policies that mandate specific cybersecurity strategies in both the private and public sector. With the increasing reliance on digital systems and networks by both individuals and organizations, cyber attacks have become more common and detrimental. As a result of this, the role of the federal government in regulating cybersecurity has been a topic of discussion and debate.

Advocates of heightened federal cybersecurity regulations support two main arguments:

  1. It is critical to protect national security. Cyber attacks are targeting critical infrastructure such as pipelines and power grids, leaving vulnerabilities in national security. Because so much of US critical infrastructure lies in the private sector, it is becoming increasingly important to protect private companies with federally mandated cybersecurity guidelines. Government regulation can help protect national security in many ways. Lowering the barriers to cyber risk information sharing can promote a better understanding of the cyber threat landscape and lead to improved cybersecurity protections. Introducing federally mandated liability provisions can incentivize businesses to better protect their systems from cyberattacks.    
  1. Public-private partnerships in cybersecurity are effective and could benefit from being federally mandated. The federal government has a better grasp on cyber threats due to their intelligence capabilities, but private companies often have more advanced cybersecurity capabilities. Combining these unique abilities leads to the most effective cybersecurity protections as companies can greatly benefit from the federal government’s surveillance, forecasting, and notification of cyber threats. The EU has pioneered these partnerships through the successful enactment of public-private partnership (PPP) on cybersecurity in 2016.   

Critics of federal cybersecurity regulations argue the following:

  1. The government should be limited in its access to private information. Privacy risks that occur when sharing cybersecurity information are not worth the tradeoff for better cybersecurity regulations. The American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) have stated that sharing cybersecurity related information with the government will introduce serious privacy concerns, thereby infringing upon the privacy rights of citizens. Specifically, the privacy concerns mainly involve the sharing and dissemination of personally identifiable information (PII) throughout the government. This leads to further questions over how that data will be used as well as who can access the shared information. Additionally, some cybersecurity professionals and technology companies have argued that the sharing of private consumer information with the government violates individual privacy rights. They say that the introduction of these privacy risks are not worth the limited benefit of information sharing with the government. 
  1. Mandating cybersecurity guidelines can inhibit companies. Threats of liability can stifle innovation for many companies. For example, ensuring that software products adhere to federally mandated cybersecurity standards creates additional, costly steps in the innovation of such products. Opponents of mandatory cybersecurity regulations further argue that acting in compliance could reveal trade secrets and make products less competitive in the market. Additionally, some also argue that federal cybersecurity mandates may actually impede the current cybersecurity measures of businesses’ by forcing them to adapt to government mandates.  

Currently, there is a lack of comprehensive federal cybersecurity regulation, yet recent developments suggest that such regulations may be coming. For example, in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law, which requires certain critical infrastructure entities to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). In March 2023, the Biden-Harris administration announced a new federal cybersecurity strategy, with an emphasis on holding companies liable for protecting their cyberspace. While it remains unclear what specific policies will be designed, this announcement represents a major step towards more comprehensive federal cybersecurity regulation.

Loading

Share this post

Give feedback on this brief: