Author: Charles Wang

Cybersecurity is the practice of protecting online networks, systems, and information from cyber attacks. Cybersecurity regulation involves policies that mandate specific cybersecurity strategies in both the private and public sector. With the increasing reliance on digital systems and networks by both individuals and organizations, cyber attacks have become more common and detrimental. As a result of this, the role of the federal government in regulating cybersecurity has been a topic of discussion and debate.

Advocates of heightened federal cybersecurity regulations support two main arguments:

1. It is critical to protect national security. Cyber attacks are targeting critical infrastructure such as pipelines and power grids, leaving vulnerabilities in national security. Because so much of US critical infrastructure lies in the private sector, it is becoming increasingly important to protect private companies with federally mandated cybersecurity guidelines. Government regulation can help protect national security in many ways. Lowering the barriers to cyber risk information sharing can promote a better understanding of the cyber threat landscape and lead to improved cybersecurity protections. Introducing federally mandated liability provisions can incentivize businesses to better protect their systems from cyberattacks.    

2. Public-private partnerships in cybersecurity are effective and could benefit from being federally mandated. The federal government has a better grasp on cyber threats due to their intelligence capabilities, but private companies often have more advanced cybersecurity capabilities. Combining these unique abilities leads to the most effective cybersecurity protections as companies can greatly benefit from the federal government’s surveillance, forecasting, and notification of cyber threats. The EU has pioneered these partnerships through the successful enactment of public-private partnership (PPP) on cybersecurity in 2016.   

Critics of federal cybersecurity regulations argue the following:

1. The government should be limited in its access to private information. Privacy risks that occur when sharing cybersecurity information are not worth the tradeoff for better cybersecurity regulations. The American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) have stated that sharing cybersecurity related information with the government will introduce serious privacy concerns, thereby infringing upon the privacy rights of citizens. Specifically, the privacy concerns mainly involve the sharing and dissemination of personally identifiable information (PII) throughout the government. This leads to further questions over how that data will be used as well as who can access the shared information. Additionally, some cybersecurity professionals and technology companies have argued that the sharing of private consumer information with the government violates individual privacy rights. They say that the introduction of these privacy risks are not worth the limited benefit of information sharing with the government. 

2. Mandating cybersecurity guidelines can inhibit companies. Threats of liability can stifle innovation for many companies. For example, ensuring that software products adhere to federally mandated cybersecurity standards creates additional, costly steps in the innovation of such products. Opponents of mandatory cybersecurity regulations further argue that acting in compliance could reveal trade secrets and make products less competitive in the market. Additionally, some also argue that federal cybersecurity mandates may actually impede the current cybersecurity measures of businesses’ by forcing them to adapt to government mandates.  

Currently, there is a lack of comprehensive federal cybersecurity regulation, yet recent developments suggest that such regulations may be coming. For example, in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law, which requires certain critical infrastructure entities to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). In March 2023, the Biden-Harris administration announced a new federal cybersecurity strategy, with an emphasis on holding companies liable for protecting their cyberspace. While it remains unclear what specific policies will be designed, this announcement represents a major step towards more comprehensive federal cybersecurity regulation.

At the end of 2015, the Cybersecurity Information Sharing Act (CISA) was signed into law by President Obama as part of a larger omnibus spending bill. In the years prior to 2015, the US suffered many major cyberattacks including the 2013 Target Corp data breach that leaked the private information of 110 million people and the 2014 cyberattack on the United States’ Office of Personnel Management that affected 22.1 million American citizens. In 2015 alone, multiple major cyberattacks leaked the information of 300 million people and led to $1 billion in damages. Recognizing the need for increased cybersecurity protections, CISA was passed with bipartisan support, although controversy over the bill still remains. Broadly, the act allows for cybersecurity information sharing between private and public entities in the interest of national security. A key provision of this act is that information sharing with the government is completely voluntary.    

Advocates of CISA support two main arguments:

1. It is critical to protect private data. Given the cyber environment leading up to the passage of CISA, it was clear that cyber criminals had begun using increasingly complex tactics. In the early months of 2015, the Department of Defense had begun advancing and streamlining its cyber capabilities and some cybersecurity proponents argued that the private sector should follow its lead. Thus, CISA represents an attempt to develop more capable defense and responses to cyber incidents in order to protect private information in the United States.  

2. It is important to develop public-private cooperation in cybersecurity. Neither private companies nor the federal government alone possess the requisite capabilities to protect critical infrastructure and data from cyberattacks. Public-private cooperation provides a cost-effective and dynamic approach to cybersecurity protection and advocates have argued that the US should take advantage of such a model. CISA allows for the Department of Homeland Security (DHS) to receive cyber information (cyberattack indicators, malicious code, etc) from private organizations, integrate that data, and provide comprehensive defense strategies for all to use. In addition, if one company were to discover signs of an attack, this information could be sent to DHS and a warning could be distributed to other companies within minutes. 

Critics of CISA argue the following:

1. CISA does not properly control how shared information can be used. Those against CISA argue that once data is shared with the federal government, there are no provisions in place to ensure that the data is only being used for cybersecurity related purposes. Privacy advocates like the Electronic Frontier Foundation say that CISA takes cyber control away from DHS and allows other government entities to access shared information. They argue that CISA creates an environment conducive to excess sharing and loss of oversight on the regulation of sensitive shared data. Other critics say that such practices would lead to a surveillance state where the government could conduct unauthorized searches using the data collected via CISA.   

2. The government is not capable of rapidly processing cyber information. Some against CISA argue that the government is not equipped to deal with the fast-paced nature of cyberattacks. They say that cyber criminals do not require consensus decisions to organize their attacks, while the government cannot move at such speed. Additionally, CISA critics argue that private companies are already engaging in extensive information sharing practices, and adding the government into such frameworks only slows these processes down. Additionally, they say that the government already has more data than it can process, so the input of additional information is useless.  

In the years following the passage of the Cybersecurity Information Sharing Act, cyberattacks are still an ever-present threat as exemplified by the attack on Colonial Pipeline in 2021 and Uber in 2022. Accordingly, CISA has undergone multiple revisions since its passage in 2015 in attempts to improve its efficacy and address privacy concerns. CISA has been effective in incentivizing public-private information sharing, yet adjustments are still needed to improve the quality of data being shared.