Navigating the Wild, Wild West

By Brian de Vallance

View More Responses from Federal Transition Experts

Three observations: 

  1. Cybersecurity breaches, including ransomware, have become an ever-present threat to organizations of all sizes throughout the United States.

  2. As a nation, we have not yet determined the precise role that governments should play in providing cyber defense. 

  3. This combination is suboptimal.   


Cybersecurity is, largely, unregulated today. There is no national statutory minimum standard of information security. This condition makes it difficult to improve cybersecurity on a wholesale basis.  Until there is a national legal standard, we are in a period where organizations must voluntarily adopt cyber best practices--the Wild, Wild, West. The result: We are not as safe as we could be.   


There is an interim step we can take. We can incentivize the voluntary adoption of cyber best practices. And, like in so many other times in our history, that innovation is happening first at the state level. In this context, the best example is the 2018 Ohio Data Breach Act, which establishes a legal safe harbor for organizations that voluntarily adopt certain recognized cybersecurity best practices (e.g., the NIST Cybersecurity Framework, the Center for Internet Security Critical Security Controls) and implement a written information security program. 


This approach does not require any organization to do anything. Instead, it creates an incentive to do the right thing--to improve cybersecurity according to a recognized industry standard--and receive an additional benefit in the bargain.   


Incentivizing the voluntary adoption of cyber best practices provides a concrete approach that this country can adopt to improve our network defenses as we continue to define the appropriate roles and responsibilities among governments and businesses--and navigate cybersecuritys frontier period. 


Brian de Vallance formerly served as the DHS Assistant Secretary for Legislative Affairs and Senior Fellow for the McCrary Institute for Cyber and Infrastructure Security at Auburn University. 

Back to top