The Public Eye with Eric Chabrow

New Case Against Voluntary Standards

CEO Group Doesn't See Voluntary Standards Leading to Regulation
New Case Against Voluntary Standards

Remember the cybersecurity legislative compromise that wasn't in the last Congress?

See Also: Realities of Choosing a Response Provider

Supporters of the failed Cybersecurity Act of 2012 originally called for federal regulation of the nation's critical IT infrastructure. But when industry balked, the bill's sponsors excised those provisions and came up with what they saw as a compromise: Industry and the federal government would collaborate to develop best practices that infrastructure owners could voluntarily adopt.

Still, the mostly Republican opponents to regulation balked at that provision, too, with many contending voluntary standards could eventually lead to regulation. (That rationale echoes the argument that banning assault weapons would lead to the government taking away all guns from their owners.)

What role the federal government should perform in developing IT security standards will resurface in the new Congress as lawmakers take up new cybersecurity legislation.

The Business Roundtable, an association of chief executive officers from the nation's biggest companies, doesn't like the idea of government developing voluntary standards with business, but offers a different and non-conspiratorial argument against them: They distract Congress from focusing on a more important element of cybersecurity, information sharing.

No, collaborating on creating best practices to be voluntarily adopted will not lead down a slippery slope toward regulation, contends the Roundtable's Liz Gasster. But such cooperation would take the eye off the ball of developing more crucial threat information sharing processes.

Besides, Gasster maintains, critical infrastructure owners already have devised and deployed security best practices, and developing new ones would merely provide boxes to check off that wouldn't furnish adequate cyber defense.

"The role of best practices is well documented and well understood," Gasster says in an interview. "The danger is assuming that those capabilities and those steps would protect you against the greatest threat, and that would be unfortunate because we are more sophisticated than that, and our adversaries are more sophisticated that that. And too much focus in that area could take away valuable resources and attention from the greatest threat ... and [companies] taking steps to address it."

I'll post more in the coming days from my interview with Gasster, who says she believes lawmakers will compromise to get cybersecurity legislation enacted in the new Congress, especially on information sharing provisions that would protect businesses from anti-trust lawsuits and individuals from having their privacy and civil liberties compromised by information sharing.

In the meantime, check at the Roundtable's new report entitled More Intelligent, More Effective Cybersecurity Protection, which emphasizes the need to create a process where the federal government and business would share threat information, some of it classified, which could defend against outsider attacks on key information systems.

* * *

Correction: Liz Gasster's last name was misspelled in an earlier version of this article.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.