(Re-)Configuring Federal Cybersecurity Regulation: From Critical Infrastructures to the Whole-of-the-Nation

Abstract

Cyberattacks are one of the greatest threats to the United States’ national security. Facing an increase in cyberattacks, the current patchwork of federal cybersecurity regulations does not maximize the country’s ex ante defense that should protect the entire nation. This Article examines federal agencies’ involvement in promulgating cybersecurity regulations and Executive Branch cybersecurity actions, identifying three shortcomings in the current framework: (1) the nation lacks a general cybersecurity agency with regulatory and enforcement authority, (2) cybersecurity programs often rely on business participation and leadership without incorporating non-profit organizations and individuals, and (3) cybersecurity approaches often overemphasize the importance of attributing attacks to the corresponding culprits. To rectify these weaknesses and maximize cyber defense, this Article argues that Congress should
expand the Cybersecurity and Infrastructure Security Agency’s rulemaking and enforcement authority to monitor and mitigate cyber threats across varying sectors, including government, businesses, insurers, non-profit organizations, and individuals.