The Cybersecurity Framework Is the Wrong Approach
April 30, 2014
The new Cybersecurity Framework will cause more problems than it solves, say Eli Dourado, a research fellow, and Andrea Castillo, a research associate, at the Mercatus Center.
The Cybersecurity Framework is a federally-designed plan to improve cybersecurity for firms designated as "critical infrastructure sectors" by the Department of Homeland Security. The Framework is composed of three parts:
- The Framework Core is a compilation of best cybersecurity practices for each category within a critical infrastructure sector. It contains standards intended to service five basic functions -- identify, protect, detect, respond and recover.
- The Framework Implementation Tiers are measures of compliance within each category. Compliance levels range from Partial (the first tier) to Adaptive (the fourth tier).
- The Framework Profile provides a score to each organization on its level of cybersecurity compliance.
The program is voluntary. Unfortunately, it is not the right approach. Dourado and Castillo say that the absence of a central cybersecurity is not proof that there is not sufficient cybersecurity, noting that private companies already have incentives to develop their own cybersecurity solutions. Market-based standards are more effective than state-mandated plans, which run the risk of becoming "mired in unwieldy top-down complexity."
Source: Eli Dourado and Andrea Castillo, "Why the Cybersecurity Framework Will Make Us Less Secure," Mercatus Center, April 17, 2014.
Browse more articles on Government Issues