Since early last year, the coronavirus pandemic has presented a public health crisis so vast that it dominated the news and discussions around public policy. As COVID-19 accelerated the digitization of the U.S. economy, a far less noticed epidemic was also spreading — a proliferation of cyberattacks. According to the FBI, the number of daily reported cyberattacks increased to 4,000 by April 2020, representing a 400 percent increase over the pre-coronavirus figures. Last month, security firms uncovered a massive breach linked to a software company, affecting hundreds of Fortune 500 companies and government agencies.
As the extent of economic damages due to growing cyberattacks against the private sector becomes evident, the Biden administration must develop policies to mitigate cybersecurity risks. Instead of creating more stringent cybersecurity regulations, the U.S. government should create incentives for businesses to adopt the best cybersecurity practices and insure against cyber-attacks.
In response to growing cyber threats, Congress recently passed legislation such as the 2019 National Cybersecurity Preparedness Consortium Act and the State and Local Government Cybersecurity Act. While this legislation sought to improve cooperation between local, state, and federal governments, it failed to address the bigger problem — poor cyber hygiene in corporations. Consequently, the private sector — which comprises critical institutions like hospitals — remains an Achilles’ heel for national cybersecurity.
As a result, many policymakers are increasingly supporting a heavy-handed approach to cybersecurity regulations. For example, some experts advocate a federal cybersecurity framework — similar to the EU’s General Data Privacy Regulation (but for improving cybersecurity). Furthermore, others argue that the U.S. government should grant corporations immunity or limited liability for data breaches if they implement government-mandated cybersecurity regulations. The claim is that these regulations will create a more secure data environment and benefit American consumers and the economy in the long run. However, there are at least three reasons why such proposals are unlikely to be effective in the long run.
First, because of the federal government’s lack of cybersecurity expertise, there is little evidence to assume that the government, rather than the private sector, is better suited to address cybersecurity threats. That is especially the case as leading corporations — like big tech and banks — are well-aware of cybersecurity risks. Given the crippling costs of data breaches and cyberattacks, these companies have strong incentives to protect against malicious cyber activities.
Second, even if the U.S. government cooperates with leading corporations to develop mandatory cybersecurity regulations, a one-size-fits-all policy will be highly costly. For instance, a small startup providing food delivery services does not need the same cybersecurity protocols as financial institutions, hospitals, or other critical infrastructure. By mandating the same cybersecurity regulations on small businesses as on large corporations, a one-size-fits-all approach will considerably burden small enterprises.
Third, while a government-backed insurance scheme might protect companies from future liability, it reduces the incentive to innovate — precisely because companies will not be liable for losses from cyberattacks. As a result, instead of innovating, corporations are more likely to adopt the minimum cybersecurity standard required to avoid future liabilities. In other words, while such a mechanism shields companies from future tort claims, it does little to protect consumers from possible data breaches.
Instead, the U.S. government should incentivize private companies to seek insurance for business operations. Despite growing risks, most businesses remain uninsured against data thefts and cyberattacks.
Currently, most insurance companies do not offer lower premiums to businesses that implement safe cybersecurity practices. As a result, the U.S. government needs to cooperate with financial institutions to share data, quantify cybersecurity risks, and develop the necessary insurance models. To encourage lower insurance premiums and the industry-wide adoption of best cyber-hygiene practices, the U.S. government can provide tax breaks to financial institutions offering lower insurance premiums to companies adopting robust cybersecurity protocols.
Ultimately, both Democrats and Republicans need to recognize that the basis of U.S. economic strength and technological innovation lies in competition, rather than burdensome regulations. Simultaneously, policymakers need to be clearheaded about the growing risks that cyberattacks pose to the economy. As the new administration makes choices about how to improve the nation’s security, providing private companies market-based incentives to improve cybersecurity would be a much-needed step in the right direction.
Ryan Nabil is a research fellow at the Competitive Enterprise Institute.