Apparently the U.S. federal government has recognized the need for action, and the Administration and leaders in Congress have proposed a number of legislative solutions. However, I ended up feeling that we’d be better off if the government pretty much did nothing given that:
A number of practitioners described how regulations too easily lead to a “compliance culture,” where statutory requirements incentivize companies to check the right boxes, rather than implement better security
White hat hackers explained that vulnerabilities and exploit strategies are evolving much, much more rapidly than any conceivable government framework
Cybersecurity is a complex and messy socio-technical system, and the unintended negative consequences of any regulation could easily outweigh the benefits
A leading computer scientist observed that the incentives for appropriate behavior were already about right – and that a process-oriented standards framework was guaranteed to drive the technical experts out of the room.
The government therefore needs to be seen to be doing something – but the less it does, the better. This is not unlike the placebo effect, where a patient given a dummy treatment experiences a true improvement in their condition – without harmful side effects.