Should the Government Require Companies to Meet Cybersecurity Standards for Critical Infrastructure?

Richard Forno, director of the graduate cybersecurity program and assistant director of the Center for Cybersecurity at the University of Maryland, Baltimore County, makes the case for government standards and oversight. Anne Hobson, a program manager with the Mercatus Center at George Mason University, argues that the development of targeted, sector-specific solutions is the better option.

YES: The industry can’t do it on its own

By Richard Forno

Society depends on critical infrastructures like power distribution, water supply, transportation, the internet and more to be available for use all day, every day. These systems, however, are under constant attack and many are part of a cyber environment that isn’t easily secured.

While some industry sectors are better able to secure themselves than others, aged, embedded and/or proprietary hardware, and the hodgepodge ways these systems have been brought into the information age are just some of the problems that make it difficult to secure them effectively.

Industry cooperation on cybersecurity standards, best practices and information sharing are helpful in fostering stronger infrastructure security on a daily basis. However, I am less sanguine that industry can handle the realities of protecting America’s critical infrastructures without some degree of federal and state government regulation and oversight—along with appropriate funding and incentives—to ensure a meaningful level of acceptable security, resilience and accountability.