I know there are plenty of my colleagues in the security industry who differ with my opinion. They want the government to stay out of legislating cybersecurity. But when matters rise to the level of a national interest, that is exactly the circumstance our government needs to act. We have reached that threshold. The government needs to act. In the long run, it will enable the security industry to do what needs to be done. It doesn't have to be perfect, it just needs to get the ball rolling.
Some of my friends say what we need is to put both civil and criminal negligence rules in place to hold those who are negligent in implementing cybersecurity liable. But isn't that a law in and of itself? In order to prove negligence, we need to prove a deviation from the reasonable. I don't see how that is different from the government passing a cybersecurity law.
There is another line of reasoning that no matter what laws we pass, no matter what the security industry does, we can never truly safeguard our critical infrastructure. Advanced persistent threats (APT) and similar attack methods render all of our defenses inadequate. Perhaps that is true. But that is not a reason not to try. If at first we fail, we will try again. If that fails we try yet again. Not succeeding on the first try or even not succeeding at all is never a reason to stop trying to do what must be done.
So while there are people who say that the government should stay out of cybersecurity regulation, I think now is the time that the government needs to get involved. Our critical cyber infrastructure extends beyond the government's network. We need to make it clear what a reasonable organization must do to protect themselves and what the consequences are if they do not.
Sign up for CIO Asia eNewsletters.