Editor’s Note: In the blog posting, Cybersecurity Act of 2012 Is Back, but Same Problems and Questions Remain, David Inserra of the Heritage Foundation asks a number of important questions regarding proposed cybersecurity legislation. Below are the views of FISMA Focus on three of those questions:
Is information sharing limited?
The Hertige Foundation is right when they state that instead “of returning to a pre-9/11 security mindset, we should encourage sharing with appropriate oversight.” Sharing of relevant security information sharing between; the private sector and federal agencies, between federal agencies and the private sector, and among private sector entities needs to be a basic component of any responsible strategy for protecting critical infrastructure.
How much will it cost?
The question is crucial but Heritage’s passivity in waiting for a federally-estimated price tag is counterproductive. As FISMA Focus has explained, Cost-Benefit Analysis is Essential for Cybersecurity Policy Development and cybersecurity regulation must be cost-effective or it will not succeed. However, instead of waiting for a regulatory impact analysis to estimate costs, the private sector needs to engage with agencies to develop cost-effective means of implementing cost effective cybersecurity protections. Put simply, the private sector now has the opportunity to start shaping cyberdefense costs and benefits by developing case studies and Best Practices. Companies which take advantage of current opportunities to influence federal cyberdefense requirements may well do so in a manner that provides them with competitive advantages.
Can the federal government develop good standards?
Yes. NIST along with DHS and other federal security partners is performing an irreplaceable job in developing effective cybersecurity standards and practices. The failure of some agencies to adhere to federal cybersecurity requirements does not reflect on the requirements themselves.
Leave a Reply