This report is part of the larger compendium “Future-Proofing U.S. Technology: Strategic Priorities Amid Chinese Tech Advancement.”
Read the full report
Read the full compendium
Executive Summary
Cybersecurity evolves rapidly, while government operations are intentionally deliberate and thoughtful. Against ever-adapting threat actors in China, Russia, and state-sponsored groups, regulations and the cybersecurity industry remain out of sync. Cybersecurity needs a shake up to break free from the pattern it has followed over the past several years. In particular, the industry is stuck in a cycle in which a few large cybersecurity vendors control the lion’s share of the market while successful cyberattacks compound year after year. Each breach leads to promises of fixes, only for the pattern to repeat.
‘Build Up from the Floor’ Approach
Since expecting legislators to keep pace with technological advancements and adapt regulations in real time is unrealistic, a more effective method is to focus on basic security principles. Regulators should adopt a “build up from the floor” approach, which starts with a minimal foundation of general rules, then monitors their impact before crafting further solutions. This paper explores this approach in depth, hoping to stimulate progress while minimizing the effects of poorly designed regulations. Regulations following this approach that respond to the multiple needs of the cybersecurity industry and broader tech industry will foster an economic climate in which innovation is not stifled.
We can start by taking a simple goal, such as incentivizing businesses to secure sensitive data, then build up by offering multiple paths to success while rewarding preferred security outcomes. Regulations should broadly apply across endpoints, networks, cloud services, internet-of-things devices, and mobile technology to remain adaptable. There are multiple ways in which this example could be applied, but it demonstrates the building from the floor up approach to incentivizing cybersecurity. Policymakers and regulators should start with a specific security goal, incentivize desired outcomes, and ensure the goal is widely applicable. This paper also expands on this approach further with policy recommendations to ensure both the public and private sectors are able to effectively tackle evolving challenges from U.S competitors and adversaries.
Policy Recommendations
- Government should leverage cybersecurity expertise through open source tools and resources, influencing private sector practices better than regulations, as shown by NIST CSF 2.0 and CISA.
- Government should provide cybersecurity certifications, education, and training to help private organizations improve security practices by reducing financial burdens.
- More cleanly centralize government communications on cybersecurity standards and incident reports to enable more effective regulatory compliance and overall safety.
- Public partners on cybersecurity regulation must remain separate and autonomous from departments employing or researching cyber attacks, to foster trust between the government and the cybersecurity industry.
Maxime Lamothe-Brassard began his cybersecurity career at the Canadian Department of National Defense before providing direct assistance to organizations facing cyber defense challenges. His career includes key roles at CrowdStrike and Google, as well as being part of Chronicle Security’s founding team, ultimately leading him to establish LimaCharlie to revolutionize security operations infrastructure.
The views expressed in this article are those of the author and not an official policy or position of New Lines Institute.
