Josh Rogin, “NSA Chief: Cybercrime Constitutes the Greatest Transfer of Wealth in History,” July 9, 2012, available at Fm The methodologies underlying such claims are controversial and are discussed in Section 3.6 on threat assessment.Direct regulation might, for example, call for all regulated institutions to adopt certain kinds of standards relating to cybersecurity “best practices” regarding the services they provide to consumers or their own internal practices.Opponents of direct regulation argue that several factors would make it difficult to determine satisfactory regulations for cybersecurity.
For example, loss of intellectual property is today the poster child for _________________ Michael Daniel, “Incentives to Support the Adoption of the Cybersecurity Framework,” August 6, 2013, available at
—Voluntary standards setting by government can specify cybersecurity standards if private organizations do not so. This approach presumes that vendors and/or system operators held financially responsible for harms that result from cybersecurity breaches will make greater efforts than they do today to reduce the likelihood of such breaches.
Opponents argue that the threat of liability would stifle technological innovation, potentially compromise trade secrets, and reduce the competitiveness of products subject to such forces.
5 Tensions Between Cybersecurity and Other Public Policy Concerns As noted in Chapter 1, progress in public policy to improve the nation’s cybersecurity posture has not been as rapid as might have been expected.
One reason—perhaps the most important reason—is that cybersecurity is only one of a number of significant public policy issues—and measures taken to improve cybersecurity potentially have negative effects in these other areas.