3 May 2022

Incentives, Not Orders, Will Strengthen American Cybersecurity

Yameen Huq

This past month, President Joe Biden signed into law a $1.5 trillion omnibus bill that contained the “Strengthening American Cybersecurity Act,” one of the largest cybersecurity reforms in nearly two decades. Title II of the bill, the “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” contains new requirements for companies involved in federally-designated critical infrastructure—broadly defined as including everything from banks and hospitals to power grids—to provide cybersecurity incident reports to the Cybersecurity and Infrastructure Security Agency (CISA) in a timely manner. Incident reporting is vital for a secure economy; we can’t expect to protect our most important assets if we do not understand the battlefield.

Unfortunately, the regulations in this act are not the most effective way to achieve these aims. Congress should revise it in a future bill to promote incident data production and consumption through improved incentives, not just directives. Such a law must address the three kinds of market failures present in the market for cybersecurity incident data—free-riding, externalities, and adverse selection—with targeted solutions for each: knowledge subsidies, negligence fines, and voluntary certifications.

No comments: