The authors of the report, "Loving the Cyber Bomb", argued that proponents of greater government cybersecurity regulation in Congress, the Obama administration, and the media have been fanning the flames of an inflated public conception of the threat.
“A cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well”, the report argued.
This push for greater government cybersecurity regulation has been undertaken without economic analysis to determine the actual need or effectiveness of this regulation, the report said.
“We see very little verifiable evidence for the sort of rhetoric that we’ve been hearing…Until we have evidence to know one way or the other, we really can’t say what the real state of cybersecurity is and whether we need government intervention to help with that”, Jerry Brito, a senior research fellow at George Mason and a co-author of the report, told Infosecurity.
Good information security practices create both public and private benefits, the report said. Therefore, companies have an incentive to implement strong protections against viruses, spyware, and other threats to data integrity. The question then becomes, are there enough private benefits to prompt firms to provide enough security?
“What is the case that the private sector isn’t doing this already? If you can show that there is a market failure that leads the private sector to not have an incentive to do this on their own, then perhaps you could consider government intervention. But we feel that the case has not been made”, Brito said.
“Even if the case can be made for market failure and that government intervention is necessary, then you have to ask yourself, what can the government do better than private industry”, he added.
The GMU report cited the Commission on Cybersecurity for the 44th Presidency report prepared by the Center for Strategic and International Studies (CSIS) for being particular egregious in the lack of evidence to support its assertions. For example, the CSIS report stated that an "appropriate level of cybersecurity cannot be achieved without regulation, as market forces alone will never provide the level of security necessary to achieve national security objectives."
But the GMU report countered that the CSIS report provides no evidence to support this blanket assertion. “The burden is on proponents of regulation to explain how they determine what is the appropriate level of cybersecurity, and how they determine that the private sector is under-providing it. Those are empirical questions that, as we have seen, have so far only been answered with assertions.”
Brito sees no distinction between critical infrastructure and the rest of the IT infrastructure regarding the need for government intervention. “Who decides what is critical infrastructure? The government does.” Instead of focusing on critical infrastructure versus non-critical infrastructure, policy makers should be examining whether there is a market failure in providing cybersecurity in general. “But we are not seeing that type of analysis now”, Brito said.