A new presidential commission on cybersecurity may raise the visibility of a voluntary framework of cyberstandards promoted by the government and private sector alike.
But the message that business groups really want to hear, as often as possible, is that an industry-led approach to cyber is better than moving toward mandatory regulation.
“The commission will certainly look at the voluntary vs. regulatory debate as it develops recommendations that are actionable, practical, innovative, and ambitious,” Kiersten Todt, the executive director of the Commission on Enhancing National Cybersecurity, said in an interview last week.
She added that her panel’s work could help the framework “go viral” by raising its profile.
That would be a welcome development for private-sector representatives who embraced the framework process early on as the best way to pursue a flexible and cost-effective cyberstrategy, and one that isn’t dictated by the federal bureaucracy.
Some in industry have always been skeptical of the Obama administration’s commitment to a voluntary, industry-driven approach, even when the White House in 2013 tasked the National Institute of Standards and Technology with collaborating with the private sector on a framework of standards.
That framework, released two years ago, has become the key point of engagement between government and industry on cybersecurity.
But a sense is growing in industry that the White House’s oft-stated commitment to the voluntary spirit of the framework is unmatched across the government, particularly by agencies with regulatory authority over industries.
Further, critics say, the government has taken only limited steps to promote the framework or to help industry, particularly smaller companies, make costly investments in cybersecurity.
A coalition of trade associations, representing most if not all critical-infrastructure sectors of the economy, is privately discussing ways to promote the framework and demonstrate its effectiveness both to a business and a regulatory audience.
The alternative, industry sources say, is that the framework becomes a regulatory compliance tool in the hands of federal agencies.
The industry representatives are meeting directly with NIST and other agencies like the White House Office of Management and Budget to discuss their concerns and goals. And they are looking at all the potential platforms to advocate for close adherence to a framework-oriented approach to cyber.
The national cyber commission, created by presidential executive order, seems a likely venue for those discussions. The commission must deliver a report to the president by December and plans a series of what it hopes will be high-profile events around the country.
Generating a discussion on how the nation should approach cybersecurity, and whether regulators or industry should be in the lead, could be its most valuable contribution.
Charlie Mitchell is editor of InsideCybersecurity.com and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” coming this spring from Rowman and Littlefield.
