Creating a 'Circle of Trust' to Further Digital Privacy and Cybersecurity Goals
Jay P. Kesan
University of Illinois College of Law
Carol Mullins Hayes
August 18, 2014
Forthcoming, Michigan State Law Review
Illinois Public Law Research Paper No. 13-03
Illinois Program in Law, Behavior and Social Science Paper No. LBSS13-04
Cyberattacks loom over the technological landscape as a dire threat to Internet commerce, information security, and even national security. Meaningfully improving cybersecurity and ensuring the resilience of systems will require cooperation between members of the private sector and the government. To this end, we propose a framework that creates a circle of trust for the sharing of information about threats and solutions. To emphasize the importance of cooperation to enhance cyber defense, this Article presents a case study of two items: the proposed legislative regime of the Cyber Intelligence Sharing and Protection Act, and President Obama’s Executive Order 13,636 with its emphasis on a Cybersecurity Framework that would establish voluntary cybersecurity standards. Through application of our circle of trust framework, we hope to provide a solution that balances the sometimes competing concerns of privacy and cybersecurity.
Our secondary focus is whether such a program should emphasize voluntary or mandatory compliance. A proper balance between the two approaches could improve the dynamics between the public and private sectors in a way that increases respective levels of trust. The Executive Order and CISPA both use a voluntary approach. Under each system as currently proposed, firms could choose to follow the program, but compliance is not mandatory and there is no penalty for noncompliance. However, mandatory programs with effective enforcement mechanisms are likely to result in higher levels of compliance than purely voluntary programs in many situations. We urge that government intervention in the free market should be kept at a low level, but because cybersecurity issues can have implications for national security, we believe that some degree of mandatory regulation would be beneficial.
We believe that cybersecurity can be enhanced without creating a Big Brother world, and encourage the development of a circle of trust that brings the public and private sectors together to resolve cybersecurity threats more effectively. It is vital that these issues be addressed soon while there is still a chance to prevent a catastrophic cyber event. It would be ill-advised to rely solely on executive power or on legislation that is quickly drafted and enacted after an emergency. A careful, deliberative process aimed at protecting cybersecurity and civil liberties would ultimately be the most beneficial approach, and these steps must be taken now, before the emergence of a cybersecurity crisis that causes us to suspend reason.
Number of Pages in PDF File: 86
Keywords: Cybersecurity, legislation, technology law, cyberlaw, privacy, intersectoral cooperation, public-private partnerships
Date posted: August 25, 2012 ; Last revised: June 3, 2015