Does America’s policy of voluntary regulation for cybersecurity enable better collaborative effort for standards development?
Cybersecurity has made it to living rooms and kitchen tables worldwide. Governments and policy makers globally are engaging in a serious debate about how much to regulate, what should be voluntary, and which industries should be subjected to whatever “it” is.
Pervasiveness of information technology throughout global critical infrastructures creates a sometimes uncomfortable reality. In many countries over 80% of critical infrastructure including electricity, water, gas, and telecommunications is owned and operated by private entities. Governments rely on this privately-owned critical infrastructure to support basic functions including defence, emergency services, law enforcement, intelligence, tax collection, and so on. Possible governmental approaches to cybersecurity vary from voluntary and objective-oriented to mandatory and prescriptive. In reality most governments are somewhere in the middle of this continuum.
The United States adopted a voluntary approach because it allows the industry to deploy the best possible solutions while continually supporting innovation. The nation has invested substantial resources into developing and implementing this voluntary approach that includes participation from government agencies, regulators, critical infrastructure owners and operators, suppliers of critical infrastructure services and components, academia, trade associations, and other stakeholders in keeping the interconnected world up and running. The road is challenging but early feedback indicates that it is helping take the national dialog about cybersecurity to a new level which increases awareness and helps address this fast evolving problem set.
How it all began
February 12, 2013 President Obama issued Executive Order (EO) 136361 entitled Improving Critical Infrastructure Cybersecurity. The EO directed the National Institute of Standards and Technology (NIST) to develop a voluntary cybersecurity framework that would apply across the critical infrastructure sectors. The Framework would be “prioritized, repeatable, performance-based, and costeffective including security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The Framework was to be developed in collaboration...