Abstract

http://ssrn.com/abstract=2135618
 


 



At War Over Cybersecurity Regulation: Balancing Privacy and Security


Carol M. Hayes


University of Illinois College of Law

Jay P. Kesan


University of Illinois College of Law

August 1, 2012

Illinois Public Law Research Paper No. 13-03
Illinois Program in Law, Behavior and Social Science Paper No. LBSS13-04

Abstract:     
Cybersecurity threats come in all shapes. It might look like the theft of payment data held by private retail stores, or a blackout enabled by the exploitation of a vulnerability in the power company’s computer systems. There are several paths to cyber defense, but the two that this Article emphasizes are: (1) Uncovering vulnerabilities, and (2) Adopting technologies to enhance cybersecurity. We illustrate these two options through a case study of two items: the proposed legislative regime of the Cyber Intelligence Sharing and Protection Act, and President Obama’s Executive Order 13,636 with its emphasis on a Cybersecurity Framework that would establish voluntary cybersecurity standards.

Many of the proposals for enhancing cybersecurity have the potential to compromise individual privacy. Is this an inherent trade off? Should citizens resign themselves to losing some digital privacy in the interest of improved cybersecurity? The importance of balancing these two interests is the primary focus of this Article. To this end, we propose a new conceptual framework that is applicable to information sharing programs involving the government and the private sector. Our conceptual framework visualizes a “circle of trust” that would regulate and limit the dissemination of shared information.

Our secondary focus is whether such a program should emphasize voluntary or mandatory compliance. The Executive Order and CISPA both use a voluntary approach. The Executive Order proposes the creation of voluntary cybersecurity standards through the Cybersecurity Framework. CISPA’s voluntary regime focuses on allowing private firms to share cyber threat information with the government. Under each system as currently proposed, firms could choose to follow the program, but compliance is not mandatory and there is no penalty for noncompliance. However, mandatory programs with effective enforcement mechanisms are likely to result in higher levels of compliance than purely voluntary programs in many situations. We urge that government intervention in the free market should be kept at a low level, but because cybersecurity issues can have implications for national security, we believe that some degree of mandatory regulation would be beneficial.

We believe that cybersecurity can be enhanced without creating a Big Brother world, but it is vital that these issues be addressed soon while there is still a chance to prevent a catastrophic cyber event. It would be ill-advised to rely solely on executive power or on legislation that is quickly drafted and enacted after an emergency. Congress should come together now and find a workable legislative approach to ensure that a possible future crisis can be met with the optimal response. A careful, deliberative process aimed at protecting cybersecurity and civil liberties would ultimately be the most beneficial approach, and these steps must be taken now, before the emergence of a cybersecurity crisis that causes us to suspend reason.

Number of Pages in PDF File: 109

working papers series


Download This Paper

Date posted: August 25, 2012 ; Last revised: March 27, 2014

Suggested Citation

Hayes, Carol M. and Kesan, Jay P., At War Over Cybersecurity Regulation: Balancing Privacy and Security (August 1, 2012). Illinois Public Law Research Paper No. 13-03; Illinois Program in Law, Behavior and Social Science Paper No. LBSS13-04. Available at SSRN: http://ssrn.com/abstract=2135618 or http://dx.doi.org/10.2139/ssrn.2135618

Contact Information

Carol M. Hayes
University of Illinois College of Law ( email )
504 E. Pennsylvania Avenue
Champaign, IL 61820
United States
Jay P. Kesan (Contact Author)
University of Illinois College of Law ( email )
504 E. Pennsylvania Avenue
Champaign, IL 61820
United States
217-333-7887 (Phone)
217-244-1478 (Fax)
HOME PAGE: http://www.jaykesan.com
Feedback to SSRN


Paper statistics
Abstract Views: 977
Downloads: 304
Download Rank: 53,713

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo8 in 1.531 seconds