the potential for lawmaking to influence vendor responsibilities under the law and to reframe liability.

As this brief overview illustrates, regulations relevant to CIIP are a patchwork. That situation will complicate any efforts to develop a regulatory framework (rationale, legal basis, agency oversight) for critical infrastructure protection. Hank Perritt, CSTB member and dean and professor of law at Illinois Institute of Technology, Chicago-Kent College of Law, suggests that regulation is really about a fundamental choice: whether the need for a robust, reliable, critical information infrastructure is better met by a highly centralized approach—the model for which is AT&T as it existed in 1965—or whether it is better served by a highly decentralized and very market-oriented and loosely regulated approach (such as is exemplified by the Internet).⁵⁴ Given how the economy and the information infrastructure have evolved, we have a decentralized system today. Any changes would have many ramifications. Many (including the current administration and the Internet community, which is often described as cyberlibertarian) view regulation by the government as interference in the market economy. On September 11, the Internet was very resilient (due in large part to a fair amount of redundancy),⁵⁵ which shows that a decentralized model does not necessarily produce a less robust infrastructure. A decentralized scenario does not foreclose the possibility of the law having more bite but, rather, offers a choice of instruments that are not necessarily regulatory. For example, Mr. Perritt suggests that contract and tort law could ratchet up the cost of having an insecure network, and this disincentive could be further strengthened through regulation, without eliminating competition or decentralization.

Regulatory compliance and the desire to avoid new regulations serve both to require and to motivate all parties to pay more serious attention to securing the nation’s critical infrastructure against cybercrime and attack. The mere threat of such regulation could motivate vendors and corporations to self-regulate, providing their own standards and audit policies. The heightened interest in ISACs in 2002 is an indicator that the private sector is moving toward self-regulation. The government could periodically review such self-regulation efforts and provide reports showing deficiencies that would need to be corrected by a given deadline if regulation is to be avoided.