Skip to content
- The traditional regulatory model for cybersecurity, in use for the last 30 years, obviously has not worked. As the Executive Director for the Agency for Cybersecurity, Juhan Lepassaar, told POLITICO earlier this year. “The European Union urgently needs to rethink its cyber defenses as it faces an unprecedented volume and pace of attacks … “We are losing this game. And we’re losing massively. We just don’t need an upgrade. We need a rethink.”
- There are three reasons for this failure. First, the traditional regulatory model is too slow to keep pace with cyber threats. Regulations enacted in 2026 likely wouldn’t be fully effective until 2030. This inherent time lag will only be exacerbated as we fully enter the AI era. In addition, all current economic incentives favor the attackers – cyberattack methods are cheap, easy to acquire, and enormously profitable. Finally, there is the massive resource inequity between the nation-state attackers and private industry. The CISO for Verizon recently characterized the reality of the current attack posture this way: “We’re really dealing with an extremely sophisticated nation-state threat actor that will do anything and everything, at any price, to get a foothold into our critical infrastructure.” —
- In addition, nation-state attackers are not just stealing data but are now strategically compromising the infrastructure itself in virtually all critical industry sectors with potential military implications. The typhoon attacks are evidence that this is already happening.
- Cybersecurity is no longer just a consumer protection issue — it’s a national security issue, and national security is a government responsibility that cannot be achieved through restrictive regulation.
- Is the opposition’s position that every piece of software should be mandated to come out of the box impenetrable to a concentrated nation-state attack? And how expensive, usable, and competitive would all that software be? – and remember, most of our economic growth and prosperity is based on these technological advancements
- Relying further on government mandates to enforce security will truncate needed innovation in a hyper-competitive AI world while continuing a failed policy model with respect to security
- On the other hand, we have never tried a concerted market incentive program for cybersecurity. There are, in fact, numerous historic examples where market incentives have been used to solve large novel problems such we have with cybersecurity.
- Government naturally has a role — in fact, a more demanding role than as a traditional adversarial regulator. This would begin by the government not treating industry as “the other” to be disciplined and penalized for “bad behavior.” The fact is, the bad guys are stealing personal data, corporate intellectual property, and national secrets. We are actually all on the same side! We need to act that way.
- Much as Director Lepassaar said, we need a full “re-think” of our overall approach. We need a new, truly collaborative, market-based incentive model that addresses both the technology and the economics of cybersecurity. In the new model of governance, the government would stimulate and promote pro-social behavior through market mechanisms that are dynamic enough to keep pace with accelerated technological innovation of the modern age.
- We have done this before. Let me give you a couple of examples. The greatest environmental catastrophe in US history was the Dust Bowl – virtually the entire Midwest was virtually uninhabitable due to ill-conceived farming. No one wanted to live there – too risky. To help resolve that issue, the government provided the insurance industry with a backup against systemic failure. This allowed the insurance industry to lower its rates, which lowered the risk to farmers who repopulated the region with better practices incentivized by the insurance– no regulation, just creating government industry collaboration. We can do the same with cyber risk.
- Second example – COVID –the worldwide pandemic with no vaccines, which generally takes a decade or more to develop. But thanks to Operation Warp-Speed – a government-industry collaboration – we developed multiple practical vaccines in 10% of the usual time, saving millions of lives.
- We need to develop similar government-industry partnerships that will rebalance the economics of cybersecurity by providing market incentives to stimulate innovative technologies and practices
