Should the Government Regulate Cyberspace Security?

The National Strategy for Securing Cyberspace will be released this Wednesday, and in the words of the White Houses website, it will be an agreed road map of what Government (at all levels) will do, what Congress could do, what industry (in all critical sectors) will do, and what higher education and [nongovernmental organizations] will do as part of our collective national effort to secure cyberspace.

The description is broad because the document is huge. The strategy is driven by 53 questions chosen by The President’s Critical Infrastructure Protection Board after consultation with private and public sector leaders and technical experts. In order to inform the Board, the public last spring was invited to respond to the 53 questions, which covered security topics from minute to comprehensive, from home use to global implementation. For instance: What disclosure of risk should ISPs, software vendors and hardware vendors make to home users and small businesses? What information about IT security should the corporation disclose to its stockholders, to its creditors, to its auditors, to its Board? What role should procurement policy have in improving Federal IT security? What risks to privacy could arise from some approaches to achieving IT security? How can those risks be eliminated? What arrangements should exist for sharing information about vulnerabilities and malicious activity among institutions in various nations? More questionsmany more questionscan be found on the White House website, but you get the picture. Its enough to make your head spin.

And now, as the document is finalized and reviewed, the result is making more heads spin. Industry heads, that is. Which seems strange. Because according to the industry trade association ITAA, technology companies had clamored for a cybersecurity plan in the first place. According to a story in last weeks Washington Post, pushback from industry bigshots persuaded our national strategists to drop their earlier recommendation that ISPs bundle security technology with their software, as well as their recommendation that a privacy czar be appointed to oversee corporate use of customers personal information. The Post reported that some technology companies balked at the implementation costs and liabilities related to the security measures. Last but not least, the government is asking industry to adopt the strategy voluntarily, and not by force of regulation.

A cynical observer might conclude that industry wants it both ways. Corporations want regulations that will make cyberspace safe, but they dont want to pay for them. Who should make the final call? Should the government tell the tech industry how to take care of itself? Tell us what you think.