With the presidential elections literally days away, it’s critical to our national defense posture that whichever candidate is elected, the issue of cybersecurity rises to the surface again with a sense of urgency, priority and gravitas—but without the threat of costly, overzealous regulations.
In August, the Cybersecurity Act of 2012 made it through Congress, but fell short of the 60 votes needed in the Senate for it to pass. Not surprisingly, support for the bill was divided among those who believe government should set standards and regulations to make the private sector improve security and those who argue that regulations would threaten privacy and civil liberties. They also contend that the Federal government isn’t nimble enough to keep pace with the evolving threat landscape. And most of the people in this camp believe regulations would stifle or even harm innovation in the private sector and thwart progress in this critically important sector.
As a business owner and entrepreneur leading Red Lambda, a new company making inroads into the Big Data/cybersecurity arena, it’s probably fairly obvious that I fall into the latter group. I do not believe we can regulate our way to solving today’s cybersecurity challenges.
While we all recognize that regulations are absolutely necessary for the smooth functioning of our society, it’s easy to look back into our recent legislative history to see where the heavy hand of government—despite good intentions—didn’t prevent the problem which it was intending to solve—and in fact, made the situation far worse.
Sarbanes Oxley is just one of many examples. After the Enron and WorldCom accounting scandals, SOX legislation was enacted to re-establish confidence in our financial system by mandating accountability and meting out severe punishment so these types of incidents never happen again. The result? Not only was there a steady stream of high profile corporate governance scandals in the 10 years after SOX, but many experts would argue that the legislation also reduced U.S. competitiveness, created confusing, complex regulations, imposed onerous compliance costs on businesses, and reduced the number of companies willing to bring their organization public. Good intentions, unintended consequences. The cybersecurity industry should take heed.
There is no doubt that the intentions behind the Cybersecurity Act of 2012 were good—to form a cooperative partnership between the government and the private sector to share data on the latest cybersecurity threats. I believe that a private-public partnership is absolutely vital in fighting cyber terror.
However, there must also be a thorough understanding of how any sort of cybersecurity legislation would be implemented and how it would impact businesses and even the public. As one Silicon Valley executive said about the failed Cybersecurity Act, “The real opportunity loss was the fact that, at least initially, they wanted to build a centralized exchange between the public and private sectors for threat information. They weren’t clear on how they were going to do it, but the fact they wanted to do it was important.”(italics mine). This statement seems indicative of how the ramifications of implementing a new law are often not carefully thought through. With so much at stake today in the cybersecurity arena, we cannot afford the “how” to be an afterthought.
The bottom line is this: companies in the cybersecurity sector must be allowed to do what they do best—innovate. The Federal government can’t solve a problem like cybersecurity alone. Solving it requires traits that the private sector can best deliver—innovation, agility, ingenuity. You can’t mandate those things. The private sector is hard-wired with these traits. It’s in our DNA. Heavy handed regulations more often than not have the deleterious effect of shifting the focus from problem-solving to hiring compliance and legal experts to avoid fines and lawsuits.
The government does, however, have access to information that the private sector needs to combat cyberterror. This is where the two can work together to foster an environment of cooperation and sharing. Federal agencies have access to information that the private sector is clamoring for to help them become more aware of potential attacks to their networks.
A far more straightforward, 13-page business-friendly bill (HR 3523- the Cyber Intelligence Sharing and Protection Act, or CISPA) was put forth by Congressman Mike Rogers, Chairman of the House Permanent Select Committee on Intelligence. Had it passed, it would have delivered a completely voluntary solution with built in protections for privacy and civil liberties. Despite the setback, Congressman Rogers is committed to working across party lines to find a way to bridge the divide and share information. He knows this is crucial to our national and economic security.
Currently, there is talk of the White House issuing an executive order to enforce key aspects of the Cybersecurity Act. I hope this isn’t the case, as I believe this would wreak havoc with our ability to protect our national security and intellectual capital. While no one knows the outcome of the election, we will continue to look toward those leaders that can put politics aside and find ways to forge a powerful public-private partnership that unites the technology innovators, financial industry leaders and the government to leverage each group’s expertise so together, we can combat today’s cybersecurity threats.