National Cybersecurity Strategy needs help

The National Cybersecurity Strategy outlined by the Biden administration in its current form is unlikely to become the law of the land, but it is remarkable in the sense that it starts to shift the tenor of the cybersecurity conversation in a way that is long overdue.

Specifically, the Biden administration is calling for a rebalancing of the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments and onto the organizations that are most capable and best-positioned to reduce risks.

The means being proposed to achieve that goal require some form of Congressional legislation. It’s not clear, however, if the Biden administration has enough political capital to get such legislation passed any time soon. Republicans in the U.S. House of Representatives are not easily inclined toward passing any bill that would increase the number of regulations businesses need to navigate, so whatever laws do get passed are not going shift the burden completely off of individuals, small businesses, and local governments. The Internet is still very much going to be a resource that organizations will continue to employ at their own risk.

There are other means by which that cybersecurity burden could be more effectively shifted. Many of the terms and conditions that individuals and organizations routinely sign contain language that limits cybersecurity liability. The level of accountability for mishandling data or deploying applications riddled with vulnerabilities is fairly low. If organizations want better security, they will be better off voting for it with their wallets versus waiting someday for Congress to require it. If it becomes apparent to providers of applications and cloud services that they are losing market share because of cybersecurity issues, it won’t be long before investors in the entities force the issue.

Lawsuits also have a critical role to play. The financial cost providers of applications and cloud services need to be stiffer. When a breach occurs today, those entities incur remediation costs, but the amount of compensation provided to their end customers is generally limited. The average consumer is likely to receive a limited-time offer to have their credit monitored for free. Alas, very few of them switch vendors because of a security breach so there is not much of an incentive for providers of applications and services to actually do better. Individuals and organizations will need to press for larger financial settlements if cybersecurity is to improve.

Of course, one of the best things any administration might do is simply shine a bigger spotlight on the issue. Malware is a clear and present danger to national security. Hauling executives into Congressional hearings to testify about how a breach occurred is likely to yield positive results. No one wants to be publicly shamed for being incompetent, especially when that testimony might have a material impact on a stock valuation. The amount of resources being allocated to cybersecurity will, as a result, undoubtedly increase

In short, there are many mechanisms and levers that can effect positive change that don’t require the passing of water-downed legislation that, even if ever signed, is likely to then be challenged for years to come. The real issue is mustering the collective will to employ them.