Two quick facts about American industry’s resilience against cyber-attack, (1) our critical infrastructure is inadequately protected and (2) federal regulation will be required to fix the problem, reliance on market forces alone will not be sufficient irrespective of whether or not Sony Pictures survives. Although regulation is needed, it needs to be coordinated and, above all, cost-effective.
Which agency is charge of regulating cybersecurity? Right now, it’s a free for all with agencies staking out turf and claims of authority. The Federal Trade Commission (FTC) which does not have specific critical infrastructure protection responsibilities under either Presidential Policy Directive 21 (PPD-21) or the President’s Executive Order 13636 on improving cybersecurity, is among the most aggressive of agencies in asserting regulatory authority.
One example of multiple agencies attempting to regulate the same thing is secure consumer use of their health data. The FTC, the FDA and the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) are all attempting to regulate mobile health aps. Unfortunately, when regulators compete, industry, innovation and consumers lose.