Senior officials from the White House and Department of Homeland Security on Thursday defended the administration's hands-off approach to improving critical infrastructure cybersecurity, arguing that mandatory regulations would stifle innovation, hurt the economy and raise difficult questions about privacy and civil liberties.
"The administration's belief is that a voluntary approach has worked in other areas," said Michael Daniel, special assistant to the president and cybersecurity coordinator at the White House. Daniel spoke about the administration's recently released Framework for Improving Critical Infrastructure Cybersecurity at an event hosted by Bloomberg Government.
"We believe that driving to a voluntary approach is going to be the right way to go and the right way to actually get the level of uptake that we want," Daniel said.
But Daniel, along with Phyllis Schneck, the deputy undersecretary for cybersecurity at DHS, and Patrick Gallagher, director of the National Institute of Standards and Technology at the Commerce Department, fielded an array of questions about the framework's lack of enforcement powers and the administration's failure to provide any incentives to the private owners of critical infrastructure to dedicate resources to follow the guidelines.
"I believe in letting business drive business," Schneck said. "Look at the framework as a non-prescriptive set of guidelines that help you look at your risk-consequence analysis," she said, after describing the current cyber-threat landscape as a threat to "our way of life" in the U.S.
"I don’t think that throwing money at this is the answer," Schneck said.
But for state and local governments that lack the budget to follow the framework's recommendations, DHS is willing to help, she said.
"If the states will agree to look at the guidance, we will fund their managed security services for the foreseeable future," Schneck said.
Gallagher said the test for the framework will come when the administration is able to determine the adoption rate -- something officials acknowledged will be extremely difficult to measure.
"Our starting point is that we would like to see how far you can make these practices consistent with good business," Gallagher said. "We think the alignment is pretty strong."
In response to questions about the voluntary nature of the framework, Gallagher said there are many examples in other areas of the economy where voluntary standards have worked.
"Most product safety standards in the United States are done through voluntary compliance," Gallagher said. "I think of regulation as a response to a market failure when collective behavior is either hard or impossible. Voluntary is not synonymous with weak."
Daniel stressed the difficulty of trying to raise the bar across the nation, from small businesses to large critical infrastructure enterprises. And while there's still a role for legislation, such as the national data breach notification law the Obama administration is proposing, cybersecurity will ultimately remain a market-driven requirement, he said.
"Ultimately for most companies, it’s going to be the market that drives [cybersecurity]," Daniel said. Because cyberspace has no traditional borders, it means everybody lives on the border, he said. And providing border security in cyberspace "would require us to be in places that people don’t want us to be," for privacy and civlil liberties reasons.