Cybersecurity Balance: Too Much Regulation Will Stifle Economy, Stall Innovation


Lawmakers need to strike the right balance with regulations designed to rein in surveillance and bolster privacy, said a panel of experts who warned against European data privacy restrictions that could stifle innovation and restrain economic growth in the region.

The latest round of regulations that seek to re-establish control over government surveillance activities must contain the right mix of safeguards without overreaching or policymakers risk stagnating economic growth and stifling technology innovation, said panelists during a session at RSA Conference 2014. In a discussion titled "To Regulate Or Not To Regulate Cybersecurity: That Is The Question," the panelists from a variety of think tanks and consultancies warned that government regulation could harm economic competitiveness globally and set the stage for other nations to gain ground on U.S. technology providers.

[Related: 10 Ways NSA Surveillance Revelations Could Impact The Channel]

The threat landscape, combined with emerging security technologies, moves at a faster pace than regulators can establish and maintain effective rules, said Paul Rosenzweig, founder of Red Branch Consulting and a senior adviser to The Chertoff Group. Once in place, regulation takes up to two years to adapt to market changes, Rosenzweig said.

"Regulation is the least nimble, least dynamic in its ability to change itself," Rosenzweig said. "What we're experiencing today is wildly different than attacks we were experiencing two or three years ago."

Regulators should take a more pragmatic approach to cybersecurity, said security and governance expert James Lewis, program director for the Center for Strategic and International Studies. Lewis said President Obama’s cybersecurity executive order that authorizes the creation of an incentivized set of voluntary security guidelines for the protection of networks connected to critical infrastructure facilities is a good start. Rather than being solely voluntary, the rules could become mandatory if the private sector doesn’t act on the guidelines, Lewis said. It takes into account sustaining economic growth, he said.

“We need to find a balance between the requirements of public safety, security and growth," Lewis said. "Too much regulation will kill economic growth, too little will put the country at risk.”

Regulations that establish a baseline for security can be helpful if they provide a reasonable approach for companies that lag behind in establishing security measures, said Evan Wolf, a partner and managing director at Crowell & Moring, and an expert in homeland security and chemical security regulatory compliance. Regulations can create the liability protection that companies need to be able to do innovative research and development, an often risky undertaking, Wolf said. It also can address specific elements of security and public safety where private sector companies have no reach or control.

“We see elements of people working on their own ... to protect critical infrastructure, but what companies are really challenged with and where we need some government thought and intervention are with the interdependencies,” Wolf said. “It’s hard right now to stop a threat where there are these potential cascading effects, such as a pipeline, below a switching station, below a hospital.”

NEXT: Regulations To Curb NSA Surveillance