AN ADVERSARIAL REGULATORY MODEL IS ANTI-CYBERSECURITY

January 21, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

A major reason why we are not making progress in securing cyberspace – and we are in fact losing ground rapidly– is that for the most part we have mis-analyzed the issue as a case of traditional corporate malfeasance. 

In instances such as the Enron, WorldCom, and Volkswagen scandals, and others, regulators stand in for consumers and protect them from malfeasance corporations – as they should.  However, while there are no doubt cases of corporate 9as well as government) blindness or mismanagement, this is not really the core problem in cybersecurity. In today’s cybersecurity environment, the opponents are vast criminal syndicates and increasingly nation-states and their surrogates, who are stealing and corrupting personal data, corporate intellectual property and national secrets.  Government, consumers, and industry are actually all on the same side.

The reality is that we, consumers, governments and industry, are all in this fight together.  Notwithstanding rhetorical pledges of “partnership” the implementation of a true partnership such as one would see in a business partnership has never been realized – and actually largely not even attempted.

While the government has extensive powers and abilities beyond that of any private institution, the private sector is much larger, better financed, and is more intimately sophisticated with the apparatus that makes up our critical infrastructures.  A partnership model – especially in cybersecurity makes the most sense.

A true partnership model with industry and government working together as co-equals appreciating their similar — and their differing — perspectives and combining efforts in a coordinated fashion in pursuit of mutually identified and measured objectives is what we need.

We are nearly 2 decades past the creation of the first National Strategy to Secure CyberSpace as well as multiple successive such documents and we have never evolved a model that looks like that. 

While there are pockets of government such as NIST and DHS that are working in a more collaborative fashion there is still a strong element of traditional regulatory sentiment in government.  Unfortunately, the adversarial regulatory model undermines needed partnerships 

The compliance/penalty culture which is an inherent part of the regulatory structure is especially problematic in the cyber domain. The mindset of the regulator tends to be like a parent who feels they must discipline their unruly, industry, child.  In cases of actual criminal or fraudulent behavior this is appropriate.  However, in cybersecurity the problem is more often the unequal balance between the corporate (and governmental) defenders and the better resourced attackers.  This is especially the case for major cyber events which naturally are the ones of highest concern to the government.

Too many regulators feel the need to blame the victim of the attack thinking—wrongly—that severe penalties will drive better security. Merely the perception of the big stick of penalties and enforcement will intensify the already existing attitude of fear and mistrust which undermines the widely accepted wisdom that neither government nor industry can maintain a secure cyber system unless they act together in true partnership. 

Instead of the parent-child relationship the cybersecurity partnership should be more like a successful marriage. Government and industry need to act like mature co-equal spouses.  In good marriages partners understand, indeed relish their differences and don’t seek to manage the other but to work together.  This is also characteristic of good business partnerships.

Ironically, our adversaries, the criminals and attack community, are showing a far more collaborative nature than the “good-guys” in the defender community.  In order to succeed in the fight to secure cyberspace industry and government need to become truly committed and tie the knot in a true marriage of necessity.

Join the Rethink Cybersecurity Community click here