0 Members and 1 Guest are viewing this topic.
On Monday morning, President Obama appointed Phyllis Schneck, a vice president at the cybersecurity firm McAfee, as the next Deputy Under Secretary of Cybersecurity at the Department of Homeland Security (DHS). At first glance the appointment of a private-sector expert seems like it could improve DHS’s approach to cybersecurity. Real cybersecurity improvements, however, will only take place if the Obama Administration fundamentally changes course and abandons its unreasonable regulatory demands.Such a change is highly unlikely. As it stands, the President’s executive order (EO) on cybersecurity encourages regulators to regulate the cybersecurity of the private sector. With the threat of regulation hanging over the private sector, the EO, no matter who is overseeing it, will not build the true public-private partnership the U.S. needs for reliable cybersecurity.Issued in February, the EO calls for the National Institute of Standards and Technology (NIST) to create a list of cybersecurity standards. DHS and other departments are then to create a voluntary program to promote the adoption of these standards by the private sector. The Administration recently announced some of the incentives it is considering, of which several are noteworthy: Offering certain preferences in federal grants and cybersecurity assistance, Promoting cybersecurity insurance in the process, and Providing public recognition to companies that participate.While these incentives may encourage some private involvement in the program, the EO cannot provide crucial incentives including liability, regulatory use, and Freedom of Information Act (FOIA) protection. Only Congress can offer these protections, and without them, many businesses will be afraid of having to fight court cases and bad press for merely trying to cooperate on cybersecurity. While it is good to know that Phyllis Schneck, someone who knows the private sector, will be leading the development and implementation of this system, critical limitations remain.Perhaps most importantly, the EO allows and encourages regulators to make the “voluntary” NIST standards into mandatory requirements using their existing authority. A mandatory system not only has the potential for large costs and a compliance-over-security mindset, but it also destroys true partnership and cooperation. After all, forcing someone to do what you want isn’t usually viewed as cooperation, but coercion.Instead of coercion and limited incentives, the U.S. should pursue cybersecurity policies that promote real cooperation and security. A truly voluntary system of cybersecurity information