Cybersecurity Finger-pointing

Regulation vs. Markets for Software Liability, Information Security, and Insurance

The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then I wouldn’t stake my life on it.1

Computer security expert Gene Spafford

Executive Summary
We face unprecedented information security vulnerabilities in our hyper-networked, global economy. Leaving the path clear for private, technical, market, and contractual solutions, and avoiding governmental mandates that impede contractual liability and insurance markets, should take priority. Embracing legislation or mandates can mean locking in collective “solutions” that may be hard to correct, undermining information security rather than enhancing it. Policymakers, along with the computing and infrastructure industries, should think carefully before implementing further federal regulation over risk allocation.

The principle for cyber-risk allocation, as much as one can be defined, is that government’s protection function should not overburden the ability of markets to self-insure or self-protect via technology, contractual liability and insurance instruments. Although there is not always a bright line, government must better distinguish between proper public and private responsibilities in information security, and avoid dictates that interfere with these private alternatives as technologies or other conditions change. Interventionist approaches will create jealousies among players, and lead to a politically driven hodgepodge of liabilities and immunities. Uncritical government assumption of responsibility for network and critical infrastructure risks can roll back progress without contributing to information security, cybersecurity or even national security.