I read a good article this week on CircleID by Bruce Levinson. He talks about how eventually cybersecurity will be something the federal government regulates, alongside other more familiar types of activities such as financial transactions and the environment. You can disagree about the proper role of government in the regulation of private networks, but he positions this challenge in an interesting way. Here’s the link.
Levinson writes that the current regulations are very limited and each agency pursues cybersecurity in its own fashion:
Agencies’ approaches to cybersecurity risk management are being driven by their different statutory responsibilities and authorities rather than reflecting regulatory mechanisms which have been tailored to the needs to different industries. Although a one-size-fits-all federal attitude toward cybersecurity regulation is not necessarily beneficial, neither is an ad hoc modus operandi.
Levinson works at the Center for Regulatory Effectiveness, so he thinks about these issues a lot. He doesn’t pretend to have the answers, and his article closes with a call for more honest dialogue. There is no doubt that would be a positive step. Yet one thing I didn’t see in the article was an acknowledgment that security breaches are inevitable. How is the damage contained once a breach occurs, and how can you proactively defend critical networks, rather than just guard the gates?
I talked about a different philosophical approach to security back in April. The basic Internet infrastructure was not designed with security in mind. You can’t hide behind a locked door in cyberspace. What you need to do is take ever practical step to secure your networks, then assume they will fail and take steps to immediate detect breaches and immediately start mitigating the damage.
It’s a hard concept for an extremely risk averse culture like the federal government to grasp, the inevitability of failure. But without it the cybersecurity regulatory dialogue Levine calls for will not be honest or effective.