US officials rule out cybersecurity compulsion

Now is not the time for the US government to mandate cybersecurity standards to private industry, despite significant threats and...

Despite the significant threat and a lack of understanding among business bosses, the US government should not impose cybersecurity standards on private industry, a panel of officials has declared.

The panel of cybersecurity-focused US officials said government rules were not the right way to encourage private companies to adopt best practices.

Panel member Bob Dix said the government should develop carrots for companies looking to upgrade their cybersecurity efforts rather than apply the stick. He said the panel was debating incentives such as an investment tax credit and a limit on legal liability for companies adopting cybersecurity best practices but which still leaked consumer data.

Dix believes best practices should be set by private industry rather than by government-defined standards.

Chrisan Herrod, chief security officer for the US Securities and Exchange Commission, said part of the problem was the lack of general agreement on what cybersecurity best practices were. "We're not there yet," she said, when asked about the government laying down rules. "I don't think it's possible to mandate something when you don't have agreement on what that something is."

Laura DeMartino, cybersecurity legal advisor at the Federal Trade Commission, said one industry might require different standards from another, and a small business have different cybersecurity requirements to a large business. "A broad government mandate may not be needed for a company that does not maintain sensitive consumer information."

However, the panel said many business executives still failed to give cybersecurity sufficient attention. "The threat is real, the vulnerabilities are extensive, and the time for action is now," Dix said.

Herrod said she was "very disappointed" in the lack of effort between private companies and the government to agree on best practice. "It's a lot of talk, and very little demonstrable action," she said.

"We would love to see information assurance and information security standards as part of corporate governance, but not in the context of mandating them," said Herrod. "In the context of every company following the best practices they can possibly put in place, I'm very concerned that we haven't gotten there yet. CEOs in corporate America still don't get it. They still don't concern themselves with information security as much as you would think they would."

John Landwehr, security strategist for Adobe, said government's role should be to create awareness about cybersecurity at all levels of technology users. "Awareness and education, in our minds, is the biggest thing we can do. There's a lot of education we can do at all levels."

Grant Gross writes for IDG News Service

Read more on IT for government and public sector