As governments work to protect their citizens from the worst effects of information technology, the private sector must be ready to inform and advocate as regulations develop. If governments do not access private sector knowledge during this effort, private subject matter experts must be ready to insert themselves to ensure regulatory development is well informed and effective. If the private sector does not put in the work during the developmental phase, it will certainly regret it when it is time for the enforcement phase.

Information technology tools that have developed and spread globally in the last 30 years have improved life and made it easier. To name only a few of their benefits, they have created beneficial and productive connections between people and organizations and increased the pace of commerce and scientific discovery. However, the risks that have come with these advances have multiplied as well, and the risk borne by one information technology user, or one network, can bring harm to countless users and networks.

Defeating the externalisation of risk is perhaps the main purpose of regulation. It is meant to create safe and fair development of systems, protect participants in those systems, limit potential damage to those who are unable to control risks, and place responsibility on those best positioned to handle and mitigate those risks. There is no need to revisit the failure to prioritise security in most information technology development over the past three decades, but we have arrived at a moment in which many governments are recognising the scope of information technology threats and understanding that the benefits of making innovation the highest if not sole priority cannot be sustained without enormous costs.

Many western governments, even those with a distaste for regulation, are looking to the private sector for increased reporting of vulnerabilities and breaches, setting standards for organisations responsible for critical infrastructure, and penalising individuals and entities failing to meet their obligations. The appetite for regulation is almost certain to increase in the near term with more breaches, ransomware, and other incidents surely to come. As these regulations develop, the level of cybersecurity and information technology expertise in the public sector relative to the private sector will become a significant factor.

All organisations, public and private, share the same concern regarding cyber and IT expertise … no one has enough of it and everyone is looking for more of it. The public sector, however, cannot match the incentives and benefits that the private sector can offer. With more expertise in the private sector than public, it may be difficult for government bodies to develop regulations that are effective, enforceable, and fair without private sector assistance.

Do governments have the expertise necessary to regulate the full range of information technologies? To name only a few challenging areas, regulations are under consideration with regard to social media, artificial intelligence, privacy and law enforcement access, incident reporting, and the cybersecurity of diverse institutions ranging from brokerage houses to critical infrastructure operators to small businesses with relatively limited resources.

The question of whether governments have the expertise necessary to regulate these issues is underscored by the fact that governments’ systems are breached regularly. Notorious incidents have befallen many of the institutions that are now charged with regulating others (for example, it’s quite possible that the Chinese Government has better records on many Americans than the U.S. Government). This by no means indicates that regulators may be unqualified in this regard, but governing institutions should lead by example. At the very least, they should hold themselves to the same standards they expect others to realize, and they should never punish an organisation for failing to reach a level of security that they have not achieved themselves.

Jen Easterly, Director of the U.S. Cyber and Infrastructure Security Agency, recently said that “if companies are doing all the right things and still get breached,” they may yet be protected from regulatory penalties. This is easier said than done though.

If a typical household suffers a fire in its kitchen, having a nearby extinguisher available to put it out is a reasonable expectation. If the same house’s roof catches fire, no one expects the inhabitants to have the resources to handle that level of catastrophe on their own. It’s what we have fire departments for.

Will government officials be able to recognise the difference between a cyber kitchen fire and a cyber roof fire? What criteria will they use? How will they gather evidence? What level and depth of access to a system will they request or require in order to investigate?

The Biden Administration released its National Cybersecurity Strategy in early March. A remarkable document in its entirety, perhaps the most noteworthy statement regards a shared duty to develop workable cybersecurity regulations: “A collaborative process between industry and regulators will produce regulatory requirements that are operationally and commercially viable and will ensure the safe and resilient operation of critical infrastructure.” This is a welcome statement that should be viewed optimistically and reflect an aspiration for all representative governments.

It is one thing to say this from the top and another to ask rank-and-file regulators to look at the private sector not merely as ‘the regulated’ and to view them instead as collaborators. Government employees should put aside their roles as law makers, law enforcers, and leaders in this effort. They should see themselves as peers and fellow network owners, operators and defenders … and look to develop regulations from that united foundation.