Federal Standards: An Alternative to Regulation and Litigation
Recent high profile cases of identity theft and other cybersecurity breaches have raised the prospect of 1) increased federal regulation of private-sector cybersecurity; and 2) potential liability of companies that fail to maintain IT security.

At a recent cybersecurity conference, a former senior federal cybersecurity official and a well known cybersecurity expert were reported to have said that "companies will not get serious about securing their networks and protecting customer data until they are forced to do so by regulations that impose fines or other penalties for failing to secure their networks." However, senior technology industry association officials "argued that regulation would stifle innovation and wouldn't solve the problems..."

What is missing from the debate is an informed discussion of the role federal cybersecurity standards could play in bolstering both governmental and private sector cybersecurity. The National Institute of Standards and Technology (NIST) has been charged by Congress and the White House with taking the lead in developing federal cybersecurity standards and practices. NIST cybersecurity standards and guidelines are developed through open public processes with the participation of the private sector. The draft and final NIST cybersecurity documents are freely distributed by the agency.

Before new regulations are enacted or corporate IT departments become the next playground for trial lawyers, it is worth exploring how increased federal-private cybersecurity cooperative activities could improve IT security for all stakeholders while providing incentive for increased innovation.