CircleID

The Congressional Research Service (CRS) recently released a major new study examining cybersecurity. The report, "Creating a National Framework for Cybersecurity: An Analysis of Issues and Options" discusses a variety of significant public and private cybersecurity concerns.

The CRS analysis lists several broad options for addressing cybersecurity weaknesses ranging from adopting standards and certification to promulgating best practices and guidelines and use of audits among other measures. However, the most crucial observation in the report is that none of the enumerated options "are likely to be widely adopted in the absence of sufficient economic incentives for cybersecurity."

The report goes on to explain that many "observers believe that cyberspace has too many properties of a commons for market forces alone to provide..." the needed economic incentives. Also noted in the report is that current laws, regulations and public-private partnerships "appear to be much narrower in scope than the policies called for in the National Strategy to Secure Cyberspace..." and related documents.

The CRS report discusses a variety of Congressional options for potentially improving cybersecurity including: use of product liability actions; development of cybersecurity insurance; and encouraging widespread adoption cybersecurity standards and best practices as well as "procurement leveraging by the federal government..." The report also notes that it will be updated in response to significant cybersecurity developments.

Thus, the CRS report places two key challenges before the public and private sectors: 1) determining whether there really are insufficient economic incentives for sufficiently strengthening cybersecurity; and 2) if there are insufficient incentives, determining how to craft the most efficient and effective measures for achieving needed cybersecurity improvements.

It is important that all stakeholders, including the government, take the measures needed to secure cyberspace. It is also important that, in attempting to improve cybersecurity, the government not create more problems than it solves. 

By Bruce Levinson, Senior Vice President, Regulatory Intervention

Related topics: Policy & Regulation, Security