A new report claims that the Commerce Department’s voluntary cybersecurity framework could end up undermining the online protections it seeks.
The report out on Thursday from George Mason University’s Mercatus Center claimed that the plan amounts to “opaque control” of the Internet, which could undermine the “spontaneous, creative sources of experimentation and feedback that drive Internet innovation.”
Companies, the authors wrote, “already have intrinsic incentives to develop cybersecurity solutions” without a formal government plan.
Those standards, in fact, are based on industry norms and market trends which “are more robust, effective, and affordable than state-directed alternatives,” they added.
The voluntary framework released by the Commerce Department in February outlines how financial services firms, power companies and other critical infrastructure businesses can beef up their protections against cyberattacks.
Supporters have said that the guide is a step toward safer networks and critical protections against a future impending cyberattack. Lawmakers and administration officials have warned of a “cyber Pearl Harbor” for which the United States is currently unprepared.
But study authors Eli Dourado and Andrea Castillo say that kind of rhetoric is overblown and serves as a distraction from the steady stream of data breaches and cyber spying that authorities should be going after.
“There’s very little evidence that any of these cyber doom scenarios -- planes falling out of the sky, power systems being taken down -- there isn’t any evidence that that’s a serious threat,” Dourado, a research fellow at the Mercatus Center, told The Hill. If the threat is real but the details are being kept secret, he added, they should be released so that companies can be prepared.
Dourado pointed to the recent “Heartbleed” cyber encryption bug, which has websites urging people to change their passwords but has otherwise had a minor effect on the country.
“People were saying on a scale on of one to 10 it was an 11,” he said. “We see very little economic fallout from this. This is not going to affect GDP.”
Instead of the current framework, the researchers want to more narrowly define which critical infrastructure industries should comply with the suggestions, have the government kick-start a cybersecurity insurance market by purchasing coverage for federal agencies and make it easier for companies to learn about new threats and share the information.