The Cybersecurity Framework Is the Wrong Approach
< < Go Back
The new Cybersecurity Framework will cause more problems than it solves, say Eli Dourado, a research fellow, and Andrea Castillo, a research associate, at the Mercatus Center.
The Cybersecurity Framework is a federally-designed plan to improve cybersecurity for firms designated as “critical infrastructure sectors” by the Department of Homeland Security. The Framework is composed of three parts:
– The Framework Core is a compilation of best cybersecurity practices for each category within a critical infrastructure sector. It contains standards intended to service five basic functions — identify, protect, detect, respond and recover.
– The Framework Implementation Tiers are measures of compliance within each category. Compliance levels range from Partial (the first tier) to Adaptive (the fourth tier).
– The Framework Profile provides a score to each organization on its level of cybersecurity compliance.
The program is voluntary. Unfortunately, it is not the right approach. Dourado and Castillo say that the absence of a central cybersecurity is not proof that there is not sufficient cybersecurity, noting that private companies already have incentives to develop their own cybersecurity solutions. Market-based standards are more effective than state-mandated plans, which run the risk of becoming “mired in unwieldy top-down complexity.”
More From NCPA: