WHY CYBER REGULATORY HARMONIZATION WON’T WORK
The core reason cybersecurity regulatory harmonization won’t work is that it doesn’t promise to improve the effectiveness of our regulations.
Harmonization should not be understood as the goal of our efforts to improve our cybersecurity regulatory system.
Our goal must be effectiveness, i.e., to actually improve our cybersecurity. Unless “harmonization” (whatever that means – we will get to that in a minute) can be clearly tied to making our regulations more effective, the discussion is missing the point.
The entire discussion on cybersecurity regulatory reform needs to occur with an understanding that our traditional approaches to creating greater cybersecurity, primarily regulations, have failed by almost all necessary measures.
Microsoft is currently tracking 600 million cyberattacks a day. The World Economic Forum estimates cyberattacks cost roughly 20 trillion dollars a year in lost economic value (for context, China’s GDP is a little less than $18 trillion). We know our adversaries have already used cyber means to compromise nation-state critical infrastructure, and we can’t seem to get rid of them, even though we know they are there.
This doesn’t necessarily mean we need to deregulate cybersecurity, but it does mean we need to alter our methods to focus on empirical effectiveness dramatically. Harmonization is not a synonym for effectiveness.
The second reason cyber regulatory harmonization won’t work is that there is no consensus definition of ” harmonization.” The dictionary definition means making different people’s plans or situations suitable for each other. In the regulatory sense, harmonization discussions get caught up in extended conversations about whether the goal is “minimal” harmonization, “maximum” harmonization, or someplace in between. In a very literal sense, when we talk about cyber regulatory harmonization, we don’t know what we are talking about.
This leads to the third reason cyber regulatory harmonization won’t work. It will take too long, especially considering we are under constant and devastating cyberattacks. The difficulty in developing a specific plan for harmonized cyber regulations can be illustrated by a recent proposal in the US Senate to undertake an 8-year-long study to come up with a cyber regulatory harmonization plan – 8 YEARS! Based on Microsoft’s estimates of daily attacks, we would endure nearly 6 billion cyberattacks before we get a harmonization proposal, after which they propose we do beta tests.
There have already been countless meetings, conferences, task forces, and studies on this issue. The Biden Administration released a new national cybersecurity strategy in 2023; item 1.1 in their implementation plan was cyber regulatory harmonization. Their solution – a request for information. After that was done, nothing. This is not just an issue for the private sector. Government systems are equally – maybe more – subject to successful attack.
We don’t have the time to go through another round of meetings where we will admire the problem of duplicative and wasteful cyber regulation. And, we don’t have to. There are concrete steps that can be taken now to address the significant weaknesses in our cyber regulatory system.
We should begin by identifying and eliminating the redundancies in existing cyber regulations.
The US Congressional Committees on Homeland Security and Government Operations Chairmen recently wrote that “eliminating the duplicative landscape of cyber regulations is the fastest, most cost-effective way to improve the nation’s cybersecurity materially.”
Whereas at one point, identifying redundancies in cyber regulations may have been a fairly laborious process, modern technology has largely solved that problem. AI certainly can help, but we don’t need to get that sophisticated. NLP algorithms can analyze large volumes of regulatory texts to identify similar language, concepts, and requirements across different frameworks. Another approach could be semantic similarity analysis, which could help understand the meaning and intent behind regulatory language and identify functionally similar requirements even when wording differs.
Regulators should be required to analyze existing and future cyber regulations, identify redundancies, and eliminate them. This fairly simple and timely step could almost instantly unleash massive amounts of scarce cybersecurity resources to focus on actual security and not duplicative regulatory compliance.
Another concrete step would be applying cost-benefit analysis (CBA) to all cybersecurity regulations. CBA is a standard requirement in many regulatory spaces, but has not been generally applied to cyber rules. BOTH cost and an empirical definition of effectiveness must be fundamental principles for all cyber regulations. Given the dire state we are in with cybersecurity, we need to understand if we are required to achieve our goals clearly, and these methods need to be cost-effective to be sustainable. CBA should be a necessary principle for all cyber regulations.
A third concrete step should be undertaken is mutual recognition of certifications across jurisdictional lines. A helpful model here is the transportation sector. When one drives across Europe, the driver is not required to pass a test in each jurisdiction. The licensing in one state is recognized in adjacent states. At a more complex level, airlines have operated with mutual certification recognition on a global basis for years.
Although working out the mutual certification process will require more effort than simply identifying and eliminating redundancies, it, like CBA, has existing models that can be readily adapted to cybersecurity.
I feel confident this can all be done in less than 8 years.
