Government, business divided on cybersecurity

The high-tech industry and federal officials long have argued over the level of protection necessary to effectively maintain the health of the nation's critical infrastructure, and the Center for Strategic and International Studies addresses the issue in a preliminary report issued this week.

"Some are saying we need government, others say stay out of the way," said Jim Lewis, director of the CSIS information technology program. The next step will be to determine "what we need to do to get companies to pay more attention to security," he said.

The study, "Market Forces and Government Action in Securing Cyberspace," grew out of a December meeting of some 40 experts from government and from companies in the financial services, insurance and information technology industries. A second meeting may be held in late March.

The report raised a key question about assigning liability in Internet crime cases. Using the comparison of the Internet as the information superhighway, Lewis said, "Right now [the Internet is] a highway where if you crash into someone, you're not responsible for paying the damages."

The report also addressed the issue of Internet security. The authors concluded that people who think there is a lack of security that can be attributed to market failure "may see the need for government intervention." People who take the business view that the market has not failed probably believe the private sector is in the process of fixing any weaknesses and that government should stay clear and let the market continue to work.

Either way, the report said, there is the risk that even if security is improved, businesses may not reach the level necessary to protect the nation's critical infrastructure. The report discusses that concern in the context of security as a "public good"--those things that everyone benefits from but that few have incentive to contribute to individually.

The report also examines the existing government structure for handling cyber-security issues, beginning with the President's Commission on Critical Infrastructure Protection in 1996.