Cybersecurity breaches, including ransomware, have become an ever-present threat to organizations of all sizes throughout the United States.
As a nation, we have not yet determined the precise role that governments should play in providing cyber defense.
This combination is suboptimal.
Cybersecurity is, largely, unregulated today. There is no national statutory minimum standard of information security. This condition makes it difficult to improve cybersecurity on a wholesale basis. Until there is a national legal standard, we are in a period where organizations must voluntarily adopt cyber best practices--the Wild, Wild, West. The result: We are not as safe as we could be.
There is an interim step we can take. We can incentivizethe voluntary adoption of cyber best practices. And, like in so many other times in our history, that innovation is happening first at the state level. In this context, the best example is the 2018 Ohio Data Breach Act, which establishes a legal safe harbor for organizations that voluntarilyadopt certain recognized cybersecurity best practices (e.g., the NIST Cybersecurity Framework, the Center for Internet Security Critical Security Controls) and implement a written information security program.
This approach does not requireany organization to do anything. Instead, it creates an incentive to do the right thing--to improve cybersecurity according to a recognized industry standard--and receive an additional benefit in the bargain.
Incentivizing the voluntary adoption of cyber best practicesprovides a concrete approach that this country can adopt to improve our network defenses as we continue to define the appropriate roles and responsibilities among governments and businesses--and navigate cybersecurity’s frontier period.
Brian de Vallance formerly served as the DHS Assistant Secretary for Legislative Affairs and Senior Fellow for the McCrary Institute for Cyber and Infrastructure Security at Auburn University.