Editor’s Note: A recent article, found here, in the distinguished journal Foreign Policy suggests, without making a definitive statement, that a successful, destructive cyber-attack on the United States may be more of an inconvenience than a disaster. However, while noting that “Planes didn’t fall out of the sky. Governments didn’t collapse. Thousands of people weren’t killed” during a major power blackout in India, is fine for articles, it’s not particularly relevant for US policy decisions. Which is why rigorous analysis rather than anecdote is essential for policy development.
The article states that “the potential cost to industry [of cybersecurity regulation] also seems to be a major factor in the bill’s rejection” and that “it’s a lot more cost-efficient to search out vulnerabilities in widely-used computer programs like the Windows operating system, used by banks and other affluent targets, than in one-of-a-kind SCADA systems linked to generators and switches.” Both statements may well be true but, again, their relevance to regulatory policy decisions is unclear.
The costs of a power disruption from a cyber-attack on the US power grid would need to focus more on what would happen rather than what may not happen based on the experience of a country with a very different level of infrastructure development and dependence. Moreover, it is questionable whether a salami-slice approach to analyzing critical infrastructure protection would be appropriate. Given the interconnected nature of the internet and the economy, the costs and benefits of any contemplated cybersecurity regulations or similar policies would need to be analyzed in an integrated manner in addition to being analyzed a sector-specific basis.
Executive Order 12866 Regulatory Planning and Review, which was reaffirmed by President Obama, states that “In deciding whether and how to regulate, agencies should assess all costs and benefits of available regulatory alternatives, including the alternative of not regulating.” Thus, when analyzing cybesecurity regulation from a macro perspective, the costs of not regulating include not only a probabilistic share of the economic costs that would be incurred if the lights go out but also the economic value of intellectual property that is stolen due to lack of effective cybersecurity.
For more information about the importance of cost-effective cybersecurity regulation, please see FISMA Focus here.
Leave a Reply