In the United States, the Government possesses information and technical capabilities that private enterprises simply do not have. But what is the proper role of the government in the cyber realm? Should it provide cybersecurity for the private sector or should the government require that the private sector secure its own networks to a particular standard? These topics are currently under great debate in the United States.
The Internet is a complex system, made up of a growing number of networks and digital devices. It would be exceedingly difficult for any one body or organization to manage and ensure the integrity (viability) of the Internet without massive resources and sweeping authorities, including the standardization of security practices. Such standardization could restrict and slow the innovation that has sparked the global ITC industry; could limit the flexibility, and thereby the value, a network provides to its owner; and, in the long run, could actually make networks more vulnerable, especially in instances of state-sponsored hacking. And at a time when virtually no country has escaped the impact of the economic downturn, new standards and regulations would be poorly received.
As such, the government should not endeavor to provide or manage security for a nation’s networks. Instead, the government should enable strong security by sharing information on threats and risks and facilitating the exchange of best practices and security techniques. Government should provide private sector firms the information necessary to protect themselves. It should create an environment in which firms are encouraged to take more than minimal security steps and are rewarded for doing so.
There is currently much discussion about moving cybersecurity into the Cloud, essentially having Internet Service Providers act as the first layer of defense for both government and private sector networks. This is an innovative first step and will be explored. But, the hackneyed expression is still applicable, “there is no silver bullet” to cybersecurity and pushing security responsibility to ISPs cannot be the entire answer.
The author is a member of the U.S. House of Representatives.