A paper written by a bevy of industry groups calls on the federal government to restrain from increasing its regulatory presence in cybersecurity for critical infrastructure, most of which is in the hands of the private sector.

Federal officials have increasingly questioned the ability of the industry to protect itself against cyber threats. But the Business Software Alliance, the U.S. Chamber of Commerce, the Internet Security Alliance, TechAmerica and the non-profit Center for Democracy & Technology argue in a March 8 paper that what's actually needed from government are incentives, information sharing and other forms of cooperation with the private sector.

Cost and complexity, not a lack of ability or commitment, have been the largest problems in implementing good cybersecurity, the paper states. "Abandoning the core tenets of the [current] model in favor of a more government-centric set of mandates would be counterproductive to both our economic and national security," the paper adds.

It also warns that increased federal engagement in corporate networks would "raise skepticism by global customers regarding the U.S. government's access to their corporate or consumer data." That would have the effect of driving customers away, the paper adds.

Further, were the government to attempt to establish its own system of cybersecurity standards, it would only succeed in creating a second-tier system that fails to gain widespread adoption, thereby weakening security, the paper says.

Among the steps government should take, say paper authors, is instituting a set of incentives that would motivate companies to voluntarily adopt additional security practices and make technological investments. For example, the government could stimulate growth of a private cyber insurance industry, give liability protection (without necessarily guaranteeing immunity) and give tax breaks for cybersecurity investments.  

The paper also calls for additional information sharing--long recognized as a standing problem--adding that what's needed is an increase in the quality but not necessarily the quantity of information flowing from the government to the private sector.

In addition, the paper urges the government to create a national cybersecurity research and development plan in cooperation with the private sector, i.e. formation of a plan not based principally on the needs of federal agencies. Increasing the number of science, technology, engineering and mathematics college students also gets a mention as a recommendation.

For more:
- download the paper (.pdf)

Related Articles:
Cybersecurity legislation awaiting White House response 
NTIA sets stage for IANA change 
FBI pondering legislation to strengthen wiretapping ability 
Cybersecurity runs deep in fiscal 2012 budget request