For the first time since 2005, the U.S. National Institute of Standards and Technology (NIST) has revised the federal cybersecurity standards. Since the last update, flash memory, Wi-Fi, smartphones, microchips, and social media have burst onto the scene.
Why has NIST not updated the federal cybersecurity standards much sooner? Because regulation moves about as quickly as cold molasses. Writing regulations takes 24–36 months, while the processing power of computers doubles every 18–24 months. This means that by the time a regulation is implemented, it’s already outdated.
Nonetheless, the current cybersecurity regime in D.C. is regulation heavy. On February 14, President Obama issued an executive order (EO) on cybersecurity that, although it took some steps to promote information sharing, mandated a new set of regulations—which NIST was put in charge of.
Between May and November 2012, the federal government has suffered 13 cybersecurity breaches and failures. Clearly the government’s current method isn’t working.
Instead, the government needs to harness the power of the private sector, which is adaptable and innovative in ways that a federal government slowed by bureaucracy simply is not. Cyber legislation that incorporates seven non-regulatory elements will enhance the U.S.’s cybersecurity.
One of these elements is information sharing. If companies can share cyber threat and cybersecurity information among themselves and with the government, then the U.S. cyber community as a whole will be better protected. However, there are a few things that need to take place before the information can flow freely.
First, information sharing should be effectively enabled but not mandated. This means revising outdated laws and establishing a new structure to ensure rapid sharing between the private sector and the government. This structure should be nimble and thus should not be housed within any government entity. Instead, information sharing should take place through a public–private partnership organization that includes representatives from government, industry, and privacy groups—similar to the way the Internet is currently governed.
Second, companies sharing information about cyber threats, vulnerabilities, and breaches need strong legal protections from baseless lawsuits. If information sharing is going to take place, companies need to be protected, not punished.
Congress should include these elements, among others, in whatever legislation it ultimately creates. Updating regulations every eight years is simply not an effective way to maintain our nation’s cybersecurity.
Sarah Friesen is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.