The combination of the lobbying topic in the last podcast, Joe Weiss talking about a blue ribbon panel to advise the next President, and chats with team members have made me think about this a lot over the last week – – and I still don’t have an answer that I believe in with any conviction.
I’m having difficulty thinking of a single area in information technology where Congress has gotten involved to achieve a goal and had success. There have been some successes due to unintentional consequences, but could they pass a law or laws with the aim of improving control system cyber security and actually achieve that?
Maybe one could argue giving FERC responsibility for cyber security in the bulk electric system will increase security, but it is unclear if that has had a positive impact on the NERC CIP efforts that were already in progress pre-legislation.
So enough waffling . . . if I were an uber-powerful lobbyist whose sole goal was to improve control system cyber security I would advise Congress to credibly threaten industries with regulation if they did not self-regulate, set benchmarks or certification programs, etc. This would involve having hearings, drafting legislation, and being in a position to regulate if industry groups did not step up. At the same time make it clear that legislation is necessary only if private industry is not addressing security.
What would you do?