We have touched on the subject of regulation before in the blog post Nothing to Fear but Fear (i.e., Regulation) Itself. It is a complicated issue with multiple stakeholders (unfortunately, some of those stakeholders never get a seat at the table). We should have a reasoned debate over nationalizing cyber security for critical infrastructure and that debate ought to include more voices than just corporations (I know, corporations are supposed to be people too. I will believe that when a corporation goes to jail for breaking the law). Although the perspective herein is U.S.-centric, the issue is clearly not confined to any geographic location.
Points to ponder:
- Every owner or operator of critical infrastructure should be protected against nation state sponsored hackers. Although progress has been made, attribution is still a challenge and from a defenders point of view it’s immaterial. It doesn’t really matter who wrote the malware. What matters to the asset owner is providing some level of protection, mitigation, detection, response, recovery, etc.
- President Obama says “…it’s a national security issue…” Well, either it is a national security issue or it is not. If it is, then we should not leave national security issues in the hands of people making decisions based on business risk and profit.
- In the “no surprise” department: private entities have a built-in bias against sharing information especially when that information could hurt shareholder value. If the security of critical infrastructure were nationalized, then information sharing on threats, vulnerabilities and mitigations could be handled via secure channels across all sectors. Perhaps the Director of National Intelligence (DNI) could then accomplish one of his stated goals of information sharing.
- The liability of inadequate cyber-security could be shifted to the government. This could allow the owners/operators to focus on running their business and making a profit instead of fighting-off nation states.
- Whatever level of security an owner/operator of critical infrastructure implements, the cost is borne by the public anyway. Arguably, the tax paying public will get more effective protection for their money through nationalization.
- We have a working model: Airports are private, airlines are private, but the security of the flying public is assured by a government agency (e.g., the U.S. Transportation Security Administration). You can argue it doesn’t work well, but it works. You can claim it is not perfect, but it is getting better all the time.
- The U.S. Constitution says “…for the common defense…” Do we really expect that a small independent energy company in the Midwest has to protect itself from nation state cyber-attacks? This is why GE, Ford, and IBM don’t have their own armies, because the federal government, guided by the U.S. Constitution, provides that protection. Certainly the common defense extends to cyber-space too.