Business leaders have long lamented the shortage of highly skilled cybersecurity professionals, an inadequacy that can be traced in part to immigration restrictions on highly skilled workers and to shortfalls in education.
"The profession of writing software is one that is a complete mess right now," Amoroso said. "The bottom line is that youngsters and even professionals today cannot write a nontrivial piece of software that is bug-free. And those bugs are the way that our adversaries get into our companies."
So rather than attempt to enact a framework for cybersecurity compliance through legislation, the public would be better served if lawmakers developed a set of incentives to promote education, public awareness and collaboration to respond to an evolving set of threats, he argued.
What's more, an explicit set of security mandates could have the perverse effect of aiding would-be attackers by performing their opposition research for them.
"It would be like every NBA team publishing their defense and saying this is what we're going to do," Amoroso said. "Guess what. Do you think the adversaries don't read your legislation?"
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.