A closer look at the TSA’s cybersecurity directive for pipelines casts doubt on the applicability of “performance-based” regulation to cybersecurity. For now, policymakers have to combine management-based controls and technology-specific prescriptions.
Jim Dempsey is a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center. From 2012-2017, he served as a part-time member of the Privacy and Civil Liberties Oversight Board. He is the author of Cybersecurity Law Fundamentals (IAPP, 2021).
Subscribe to this Lawfare contributor via RSS.
The federal privacy bill currently being considered by the House of Representatives would be a huge improvement over the current state of law with respect to the cybersecurity of personal information, but a few key areas need adjustment.
What is the FTC’s Advance Notice of Proposed Rulemaking on commercial surveillance and data security, and what issues does it raise?
Legislation moving through Congress on medical devices suggests broader lessons for how to improve the cybersecurity of essential products and critical infrastructure. The bill’s proposed system of regulation and oversight holds promise for meeting the competing criteria of certainty and flexibility, stability and adaptability, mandate and innovation.
In emergencies, federal agencies can avoid cumbersome rulemaking procedures. Uses of the “good cause” exception following 9/11 and the outbreak of the coronavirus offer insights relevant to the current cybersecurity threats to critical infrastructure.
Many federal agencies have existing authority that could be leveraged to improve the cybersecurity of private actors under their jurisdiction.
Systems based on artificial intelligence are susceptible to adversarial attack. Vulnerability disclosure and management practices can help address the risk.