THE PRIVATE SECTOR:  A RELUCTANT PARTNER IN CYBERSECURITY  95

           to be left alone by the government and that the private sector is capable of
           independently determining how much and what kind of cybersecurity it
           needs.
             However, as James A. Lewis, a highly regarded cybersecurity expert
           at  the Center for Strategic and International Studies, points out, “The
           market has failed to secure cyberspace. A ten-year experiment in faith-
                                                       12
           based cybersecurity has proven this beyond question.”  That is, ten years
           after the industry’s conversation about private sector cybersecurity began,
           corporations continued to be inundated with cybersecurity breaches.
           Christopher Cox, former chairperson of the Security and Exchange
           Commission, put it more bluntly: “Voluntary regulation [of cybersecurity]
           does not work.” 13
             Because corporations are considered rational actors, one might well expect
           that they would voluntarily take measures to protect their trade secrets and
           hence profits. The reasons they often do not are varied. For example, CEOs
           have been shown to focus on short-term costs and benefits, to the detriment
           of longer-term effects. The consequences of stolen trade secrets often take
           years to unfold because competitors need time to use the information they
           gained to build and market their own products. Moreover, humans tend
                                                            14
           to be poor at assessing the probabilistic costs of their actions.  Therefore,
           it is unsurprising that CEOs and other executives seem to underestimate
           even the short-term consequences of failing to shore up cybersecurity. This
           problem is compounded by executives’ inexperience with technology. “Most
           [board members and executives] have gray hair,” one banker and media
           executive said. “It’s like having someone who has never paid any attention
                                    15
           to their health talk to a doctor.”  One expert on cybersecurity, meanwhile,
           writes, “Cyber-security resembles environmental law in that both fields are
           primarily concerned with negative externalities. Just as firms tend to under-
           invest in pollution controls because some costs of their emissions are borne
           by those who are downwind, they also tend to underinvest in cyber-defenses
                                                            16
           because some costs of intrusions are externalized onto others.”  Whatever
           the reasons, The Wall Street Journal writes that in the first six months of 2014
           alone “1,517 U.S.-traded firms . . . have cited hacking as a business risk in
           filings,” and that “federal officials and others say many companies remain
           ignorant of, and unprepared for, Internet intruders.” 17
             Second, other opponents of government cybersecurity regulations claim
           that government mandates will actually hamper cybersecurity and other
           innovations in the private sector. In 2012, the U.S. Chamber of Commerce
           called on Senate Republicans to filibuster a bill that would have estab-
           lished cybersecurity standards for private sector critical infrastructure, on
           the grounds that the bill could actually “hamper companies  trying to defend
                               18
           against cyber intrusions.”  The argument seems to be that establishing clear