Critical Infrastructure Cybersecurity: Government Regulation or Private Industry Self-Regulation?
Whenever I read articles like the above I can see both sides of the story. Is it the responsibility of the US Government to protect “critical infrastructure” or does private industry do it better? After living in both worlds, I ask the question why does it have to be one or the other? Why can’t it be the responsibility of both?
Shhhhh I have a secret. Private industry actually wants government regulation because it makes it easier on them to say, from a litigation perspective, I have met my responsibilities that the government requires so if anything bad happens, I am protected. The US Government does not want the responsibility of policing private industry, as there is a lot of innovation that comes from private industry and they can act faster than the bureaucratic machine that exist in the government.
So why does it have to be one or the other? Your way or my way? I never understood that. If the government establishes a minimum baseline for requirements for critical infrastructure and private industry improves on those baselines depending on their industry and risk posture, how is that bad? Ultimately, that’s what it is supposed to be about right, the best protection? There are brilliant minds in government and private industry, why is it that one has to be better than the other?
I can actually say I know the answer, what say you?