Cooperation between federal cybersecurity authorities and privately owned critical infrastructure was the focal point of a Government Executive/SANS Institute briefing sponsored by Northrup Grumman. Extending federal cybersecurity oversight and regulation to private sector components through legislation was a point of particular focus.
Although there was general agreement by panelists from the Executive Branch and Congress on the need to modernize the government’s cybersecurity regulatory authority, no specific solutions were endorsed. One panelist noted that expanding “FISMA reporting which sucks money out of the economy” would not be beneficial. Another panelist discussed the possibility of applying cost-benefit analysis to potential regulatory requirements.
There is no question that there is a pressing need for improved private sector cybersecurity. There is also no question that unless security improvements are cost effective, they are not likely to be widely implemented. Thus, there is a need for federal and private stakeholders to develop appropriate cost-benefit tools and metrics for assessing cybersecurity regulations.