Lewis: CFATS could be model for public-private cybersecurity model

March 18, 2011
Cyber Security, FedCyber Wire
No Comment

via Fierce Government IT

A federal government looking to expand its regulatory presence in private sector cybersecurity for critical infrastructure but not wanting to exert too heavy a hand could make use of the Chemical Facility Anti-Terrorism Standards model, suggested James Andrew Lewis, while testifying March 17 before a House panel.

Lewis, director of the Center for Strategic and International Studies’ technology and public policy program, told the House Homeland Security subcommittee on cybersecurity, infrastructure protection and security technologies that the CFTAS model has proven successful enough to consider extending into cybersecurity, “It’s a little bit of a regulatory authority, it’s a little bit of a partnership,” Lewis said, characterizing it as a model under which chemical facilities voluntary adopt the security measures of their own choosing but are subject to government effectiveness audits.

The model has its faults, including not dealing well with liability, Lewis added, but it gives “a little more flexibility than a heavy-handed regulatory approach and it does seem to have had some success.”

Story here.