Since early last year, the coronavirus pandemic has presented a public health crisis so vast that it dominated the news and discussions around public policy. As COVID-19 accelerated the digitization of the U.S. economy, a far less noticed epidemic was also spreading — a proliferation of cyberattacks. According to the FBI, the number of daily reported cyberattacks increased to 4,000 by April 2020, representing a 400 percent increase over the pre-coronavirus figures. Last month, security firms uncovered a massive breach linked to a software company, affecting hundreds of Fortune 500 companies and government agencies.
As the extent of economic damages due to growing cyberattacks against the private sector becomes evident, the Biden administration must develop policies to mitigate cybersecurity risks. Instead of creating more stringent cybersecurity regulations, the U.S. government should create incentives for businesses to adopt the best cybersecurity practices and insure against cyber-attacks.
In response to growing cyber threats, Congress recently passed legislation such as the 2019 National Cybersecurity Preparedness Consortium Act and the State and Local Government Cybersecurity Act. While this legislation sought to improve cooperation between local, state, and federal governments, it failed to address the bigger problem — poor cyber hygiene in corporations. Consequently, the private sector — which comprises critical institutions like hospitals — remains an Achilles’ heel for national cybersecurity.
As a result, many policymakers are increasingly supporting a heavy-handed approach to cybersecurity regulations. For example, some experts advocate a federal cybersecurity framework — similar to the EU’s General Data Privacy Regulation (but for improving cybersecurity). Furthermore, others argue that the U.S. government should grant corporations immunity or limited liability for data breaches if they implement government-mandated cybersecurity regulations. The claim is that these regulations will create a more secure data environment and benefit American consumers and the economy in the long run. However, there are at least three reasons why such proposals are unlikely to be effective in the long run.
First, because of the federal government’s lack of cybersecurity expertise, there is little evidence to assume that the government, rather than the private sector, is better suited to address cybersecurity threats. That is especially the case as leading corporations — like big tech and banks — are well-aware of cybersecurity risks. Given the crippling costs of data breaches and cyberattacks, these companies have strong incentives to protect against malicious cyber activities.
Second, even if the U.S. government cooperates with leading corporations to develop mandatory cybersecurity regulations, a one-size-fits-all policy will be highly costly. For instance, a small startup providing food delivery services does not need the same cybersecurity protocols as financial institutions, hospitals, or other critical infrastructure. By mandating the same cybersecurity regulations on small businesses as on large corporations, a one-size-fits-all approach will considerably burden small enterprises.
Third, while a government-backed insurance scheme might protect companies from future liability, it reduces the incentive to innovate — precisely because companies will not be liable for losses from cyberattacks. As a result, instead of innovating, corporations are more likely to adopt the minimum cybersecurity standard required to avoid future liabilities. In other words, while such a mechanism shields companies from future tort claims, it does little to protect consumers from possible data breaches.
Instead, the U.S. government should incentivize private companies to seek insurance for business operations. Despite growing risks, most businesses remain uninsured against data thefts and cyberattacks.
Read the full article at Real Clear Policy.