Cybersecurity Lesson from Airline Sector
"Who is best positioned to know what risks they see everyday? It's people who are operating the system and have their hands on the system every single day."
This quote reflects an often-given argument by those who oppose regulating cybersecurity safety on businesses that own and operate the nation's critical IT infrastructure, such as utilities and financial services companies. No doubt, operators of the estimated 85 percent of the nation's critical IT infrastructure that's run by the private sector know more about their systems than would government regulators.
I heard the quote on a PBS-TV broadcast Tuesday night; it wasn't about cybersecurity, but airline safety. The quote came from Nick Sabatini, a former associate administrator for aviation safety at the Federal Aviation Administration.
The Frontline documentary, Flying Cheap, presented the point of view that some regional airlines - not the major carriers - place profit before safety. The report noted that the last six fatal airline crashes in the United States involved regional carriers and that four of the accidents were caused by inexperienced, undertrained and overworked pilots. One takeaway from Flying Cheap is that the regional carrier industry has evolved in a way that does not consider passenger and crew safety its top priority.
What's the lesson from Flying Cheap for cybersecurity? Profit is a factor on how businesses weigh risk. And, with our national security and economic wellbeing at stake if the nation's critical IT infrastructure is breached, Congress must address how much regulation should be imposed on the operators of these systems to protect the nation and its citizens against those who would do us harm.
Those who oppose regulation call on the government to employ incentives to get the operators of critical IT to follow best cybersecurity safety practices. Incentives could prove valuable but so could regulation. What's needed now is a public discussion involving Congress, the White House, business leaders and citizens in deciding the best approaches to take to assure these critical IT systems function safely.