Government to Industry: Self-Regulate Cybersecurity, or Be Regulated
If the private sector does not establish effective cybersecurity standards, government will impose them—like it or not.
With cyber losses running in the hundreds of billions of dollars, the private sector must establish its own standards for cybersecurity or face government regulations that would be painful for some firms. Either way, regulatory guidance is necessary for the private sector to avoid potentially fatal hemorrhaging of assets and information to cybermarauders.
These points were offered by the Tuesday panel at the AFCEA International Cyber Symposium, being held June 24-25 in Baltimore. Four experts examining the issue from both sides agreed that self-regulation was the desirable outcome.
“The problem is so serious that we will get regulation if we don’t provide voluntary support,” said panel moderator Al Berkeley, chairman, Princeton Capital Management and former vice chairman at NASDAQ. That government regulation likely will not suit all companies, he offered. “If we don’t get our arms around it voluntarily, we will find ourselves with regulation that we don’t like. [Government] regulation generally is one-size-fits-all,” he said.
Berkeley cited the electric utility industry as a private sector that has been able to self-regulate its industry issues for many years. The financial industry also has been somewhat successful at self-regulation. And, self-regulation can produce faster results. Government regulation often takes a decade to develop and implement. Securities and Exchange Commission laws can take about three years, but private sector self-regulatory rules can be imposed quickly.
Also, the issue of trust between government and the private sector, which is so important to the public/private partnership for cybersecurity, will suffer with government-imposed regulation. “Trust hasn’t worked as well when government is a hammer-wielding regulator instead of a partner,” Berkeley observed.