FC: CSIS' James Lewis replies to Politech on WH cybersecurity report

[Declan McCullagh <declan () well com>]

Previous Politech message:

"Defense hawks bash White House report, want new laws, regulations"
http://www.politechbot.com/p-03999.html

James Lewis was one of the two CSISers I quoted in that article as wanting 
more laws. He had said: "Cybersecurity is too tough a problem for a solely 
voluntary approach to fix. Companies will only change their behavior when 
there are both market forces and legislation that cover security failures. 
Until the U.S. has more than just voluntary solutions, we'll continue to 
see slow progress in improving cybersecurity."

-Declan

---

Date: Fri, 20 Sep 2002 10:16:33 -0400
From: "James Lewis" <JALewis () csis org>
To: <declan () well com>
Subject: Defense Hawks bash, etc

Declan: I actually think the National Strategy is very strong, but I
question the heavy reliance on voluntary action and self-regulation.
Politech readers might want to look at the section (460 words) from a
draft report that I pasted below.  It outlines ideas on regulation as an
incentive for cybersecurity. Thanks, Jim Lewis

***
In a perfect market, the private sector would purchase adequate
security and firms would offer the products needed for it.  This has not
been the case.  While some industry sectors (such as financial services)
have moved to increase security, other sectors may not improve absent
increased incentives.  Despite arguments that market forces and the
evolution of the IT industry will improve security voluntarily, we must
ask if cybersecurity, as with health, environmental, or safety issues,
requires further government intervention.

Government intervention could include direct or indirect subsidies for
cybersecurity spending, i.e. tax relief, R&D funding, or the use of
Federal purchases to promote more secure products.  It could also
include reinsurance subsidies (the U.S. provides reinsurance for natural
catastrophes) in exchange for insurers' adherence to cybersecurity
standard such as ISO 17799.  Continued exhortation by government
officials for the private sector to voluntarily take action is a form of
intervention that occasionally is effective.

Governments can also use law and regulation as incentives to encourage
certain behaviors.  Legislation and regulation (or even the threat of
legislation and regulation) will energize the private sector to move
faster in cybersecurity.  Regulation should avoid a heavy-handed,
prescriptive approach and instead aim to increase transparency and
assign responsibility, leaving it up to individuals as to how best to
meet  requirements.  The Health Insurance Portability and Accountability
Act of 1996 and the Gramm-Leach-Bliley Financial Reform Act, by creating
responsibility for privacy (and consequently security), worked to
increase awareness and demand for security products and are useful (but
not perfect) models of this.

While security is an ongoing problem and Y2K was a single event, Y2K
may also be a model on how regulation can energize private sector
behavior for cybersecurity.  The primary function of government in Y2K
was as an organizer and educator.  The Y2K effort gathered and
disseminated information, organized multinational networks, shared
information on best practices and worked through public-private
partnerships to raise awareness.  However, regulatory action by the
Securities and Exchange Commission and by banking regulators also played
a galvanizing role in Y2K preparations.  Companies had to show publicly
and to their regulators that they had taken adequate steps to protect
against Y2K disruption.  Similar SEC requirements for companies to
report the steps they are taking to protect themselves from cyber attack
would improve network security.

Internet policy problems challenge governments' ability to carry out
their functions.  Traditional governmental responses, such as
prescriptive regulation, will not create cybersecurity, but neither will
a reliance on self-regulation and voluntary action.  One solution may be
a new style of governance built on explicit public-private partnerships.
 Defining the scope of these partnerships and the responsibilities of
each partner requires that we identifying places where the market
response is weak as candidates for government action, and which
government actions (if any) would be an appropriate response.  




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
CNET Radio 9:40 am ET weekdays: http://cnet.com/broadband/0-7227152.html
-------------------------------------------------------------------------