FRAMINGHAM 8 MARCH 2011 - The U.S. government should look to incentives as a way to encourage businesses to adopt better cybersecurity practices, instead of creating mandates, recommends a new paper from four trade groups and a civil liberties group.
Although some cybersecurity experts have called for new regulations, "a more government-centric set of mandates would be counterproductive to both our economic and national security," said the paper, released Tuesday by the Internet Security Alliance (ISA), the U.S. Chamber of Commerce, TechAmerica, the Business Software Alliance and the Center for Democracy and Technology.
U.S. President Barack Obama's Cyberspace Policy Review, released in May 2009, focuses on partnerships between private companies and the government, and recommends that private industry drive cybersecurity standards. Abandoning Obama's review and the National Infrastructure Protection Plan, released in 2009 by the U.S. Department of Homeland Security, for a more regulatory approach would "erode trust," the paper said.
"There is concern ... that new policy initiatives may consider replacing the current model with an alternate system more reliant on government mandates directed at the private sector," the paper said. "This change of direction would both undermine the progress that has been made and hinder efforts to achieve lasting success."
The paper isn't aimed at any specific proposals for more government mandates, said Larry Clinton, ISA's president. But in February, James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, called for the U.S. government to take a bigger role in protecting cyberspace.
"We've had market failure when it comes to cybersecurity," Lewis said in a story at GovConExecutive.com. "Security doesn't come out of voluntary actions and market forces."
Lewis wasn't available Tuesday to comment on the new report.
The report wasn't targeted at cybersecurity legislation introduced by members of the U.S. Senate Governmental Affairs and Homeland Security Committee, Clinton added. That legislation would allow the U.S. president to take emergency actions, including possibly shutting down or quarantining parts of the Internet, to protect against massive cyber-attacks, and it would establish a new cybersecurity center at DHS, which would work with private businesses to establish cybersecurity standards.
Regulatory mandates are "clearly part of the discussion," Clinton said. "What we're saying is, that system would be antisecurity. We think that mandates would not be responsive to changes in technology."
Some cybersecurity critics seem to want to blame the technology by suggesting the Internet is broken, Clinton added. "That's not really the problem here," he said. "It's not that the system is a bad system, it's that the system is under attack. The Internet, in normal use, is wonderful -- the problem is when people attack it."
Sign up for Computerworld eNewsletters.