Private industry will be asked to do two things by any cybersecurity legislation coming from Capitol Hill: adhere to minimum standards and share threat information with the government and itself. So what does private industry want in exchange from a new cybersecurity bill? They need the federal government to provide incentives to buy in to the proposed cybersecurity frameworks and legal protection for sharing information. This only makes sense; new regulation means new costs, and information sharing could also expose companies to new liabilities. So what does the government have to offer by way of incentives?
First, the government maintains an almost unfathomable amount of information, from the most highly classified state secrets to the results of publicly funded research on fisheries in Alaska. And thanks to the Freedom of Information Act (FOIA), Americans can request that information, and use it as fuel for litigation or to smear the reputation of a competitor who may have suffered a data breach. Any new cybersecruity legislation can, and should, provide a more blanket protection from FOIA requests for private companies.
Next, the federal government has a fair number of sticks in its arsenal, but not as many carrots when it comes to encouraging private companies to participate in cybersecurity programs. Turning some of these sticks into carrots would go a long way towards encouraging participation. A good starting point would be to exempt companies that comply with certain baseline standards from liability for data breaches.
To be sure, privacy rights advocates such as the Electronic Frontier Foundation and the ACLU have valid concerns, and those concerns should be addressed. Specifically, any legislation should limit the use of information shared with the government to computer security. But the inescapable truth is that private industry has to work with the federal government in the realm of cybersecurity, and that will have to include the free flow of information and adherence to certain baseline standards.
When asked why he robbed banks, Willie Sutton is said to have replied, “Because that’s where the money is.” So, too, with cybercrime and those who hold the data. The private sector holds enough valuable data to ensure its continued targeting by malicious actors. Removing the barriers to effective information sharing both to and from the federal government and providing incentives for implementing cybersecurity programs will only save the country money in the long term.
Griffin is a Truman fellow at the Truman National Security Project, and a privacy and cybersecurity attorney at Crowell & Moring LLP.