NCPA - National Center for Policy Analysis

The Cybersecurity Framework Is the Wrong Approach

April 30, 2014

The new Cybersecurity Framework will cause more problems than it solves, say Eli Dourado, a research fellow, and Andrea Castillo, a research associate, at the Mercatus Center.

The Cybersecurity Framework is a federally-designed plan to improve cybersecurity for firms designated as "critical infrastructure sectors" by the Department of Homeland Security. The Framework is composed of three parts:

  • The Framework Core is a compilation of best cybersecurity practices for each category within a critical infrastructure sector. It contains standards intended to service five basic functions -- identify, protect, detect, respond and recover.
  • The Framework Implementation Tiers are measures of compliance within each category. Compliance levels range from Partial (the first tier) to Adaptive (the fourth tier).
  • The Framework Profile provides a score to each organization on its level of cybersecurity compliance.

The program is voluntary. Unfortunately, it is not the right approach. Dourado and Castillo say that the absence of a central cybersecurity is not proof that there is not sufficient cybersecurity, noting that private companies already have incentives to develop their own cybersecurity solutions. Market-based standards are more effective than state-mandated plans, which run the risk of becoming "mired in unwieldy top-down complexity."

Source: Eli Dourado and Andrea Castillo, "Why the Cybersecurity Framework Will Make Us Less Secure," Mercatus Center, April 17, 2014.


Browse more articles on Government Issues