Cybersecurity Balance: Too Much Regulation Will Stifle Economy, Stall Innovation

Lawmakers need to strike the right balance with regulations designed to rein in surveillance and bolster privacy, said a panel of experts who warned against European data privacy restrictions that could stifle innovation and restrain economic growth in the region.

The latest round of regulations that seek to re-establish control over government surveillance activities must contain the right mix of safeguards without overreaching or policymakers risk stagnating economic growth and stifling technology innovation, said panelists during a session at RSA Conference 2014. In a discussion titled "To Regulate Or Not To Regulate Cybersecurity: That Is The Question," the panelists from a variety of think tanks and consultancies warned that government regulation could harm economic competitiveness globally and set the stage for other nations to gain ground on U.S. technology providers.

[Related: 10 Ways NSA Surveillance Revelations Could Impact The Channel ]

The threat landscape, combined with emerging security technologies, moves at a faster pace than regulators can establish and maintain effective rules, said Paul Rosenzweig, founder of Red Branch Consulting and a senior adviser to The Chertoff Group. Once in place, regulation takes up to two years to adapt to market changes, Rosenzweig said.

"Regulation is the least nimble, least dynamic in its ability to change itself," Rosenzweig said. "What we're experiencing today is wildly different than attacks we were experiencing two or three years ago."

Regulators should take a more pragmatic approach to cybersecurity, said security and governance expert James Lewis, program director for the Center for Strategic and International Studies. Lewis said President Obama’s cybersecurity executive order that authorizes the creation of an incentivized set of voluntary security guidelines for the protection of networks connected to critical infrastructure facilities is a good start. Rather than being solely voluntary, the rules could become mandatory if the private sector doesn’t act on the guidelines, Lewis said. It takes into account sustaining economic growth, he said.

’We need to find a balance between the requirements of public safety, security and growth," Lewis said. "Too much regulation will kill economic growth, too little will put the country at risk.’

Regulations that establish a baseline for security can be helpful if they provide a reasonable approach for companies that lag behind in establishing security measures, said Evan Wolf, a partner and managing director at Crowell & Moring, and an expert in homeland security and chemical security regulatory compliance. Regulations can create the liability protection that companies need to be able to do innovative research and development, an often risky undertaking, Wolf said. It also can address specific elements of security and public safety where private sector companies have no reach or control.

’We see elements of people working on their own ... to protect critical infrastructure, but what companies are really challenged with and where we need some government thought and intervention are with the interdependencies,’ Wolf said. ’It’s hard right now to stop a threat where there are these potential cascading effects, such as a pipeline, below a switching station, below a hospital.’

NEXT: Regulations To Curb NSA Surveillance

Security experts acknowledge that lawmakers need to take action to rein in government surveillance. The issue dominated the RSA Conference 2014 and led to the launch of TrustyCon, the first Trustworthy Technology Conference held concurrently with the annual RSA event as a result of the alleged ties between the intelligence community and some U.S. technology companies. At least two bills are being considered in Washington, according to the Electronic Frontier Foundation. Congress is considering the FISA Improvement Act, which aims to legalize certain surveillance activities while putting in some safeguards, and the USA Freedom Act, which would establish restrictions on the dragnet collection of data by the government.

Speaking at TrustyCon, noted cryptographer Bruce Schneier, an outspoken opponent of mass surveillance, who has reviewed the technical documents leaked by former NSA employee Edward Snowden, said the chance of actual change brought on by regulation is very low. Any new law would have a marginal impact on activity as the NSA and other agencies have multiple ways to get at the data they require and can give up some dragnet data collection activities without any loss of capability, Schneier said.

"How we enable the benefits of data in bulk -- all of our data together -- while at the same time protecting our privacy is the main problem right now," Schneier said. "Generally we should have a law to limit the use of data and technically limit the collection of data. ... It will take a generation who doesn't remember 9/11 to build privacy into society like we were used to."

Schneier is advocating for easier ways to incorporate encryption into popular applications. Easy-to-use encryption programs such as Off The Record, a clean plugin for chat programs, can make bulk collection more difficult and force intelligence-gatherers to conduct targeted surveillance to thwart terrorism, Schneier said.

"It is the bulk collection on everybody that we found terrible, and that is what encryption can solve," Schneier said. "We can make it more expensive and force them to go after my computer alone and not the entire country."

PUBLISHED MARCH 4, 2014