The Cybersecurity Framework Is the Wrong Approach

The new Cybersecurity Framework will cause more problems than it solves, say Eli Dourado, a research fellow, and Andrea Castillo, a research associate, at the Mercatus Center.

The Cybersecurity Framework is a federally-designed plan to improve cybersecurity for firms designated as “critical infrastructure sectors” by the Department of Homeland Security. The Framework is composed of three parts:

– The Framework Core is a compilation of best cybersecurity practices for each category within a critical infrastructure sector. It contains standards intended to service five basic functions — identify, protect, detect, respond and recover.
– The Framework Implementation Tiers are measures of compliance within each category. Compliance levels range from Partial (the first tier) to Adaptive (the fourth tier).
– The Framework Profile provides a score to each organization on its level of cybersecurity compliance.

The program is voluntary. Unfortunately, it is not the right approach. Dourado and Castillo say that the absence of a central cybersecurity is not proof that there is not sufficient cybersecurity, noting that private companies already have incentives to develop their own cybersecurity solutions. Market-based standards are more effective than state-mandated plans, which run the risk of becoming “mired in unwieldy top-down complexity.”

More From NCPA: