This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
If anything characterizes the 21st century it is speed and change. A generation ago people most typically had one phone in their house for their lifetime. Now we change phones (smart phones) every couple of years – at least. Waiting a FULL TWO SECONDS for a computer, or app, to download is, let’s face it very annoying.
Cybersecurity is a unique 21st century problem.
Traditional regulation is based on the independent agency model which was initiated with the Interstate Commerce Commission (ICC) to deal with the hot technology of the 1800s: railroads. Railroads, which haven’t fundamentally changed in 200 years and cyberspace, which changes all the time, have very little in common.
This traditional regulatory model essentially calls for elected officials, such as Congress, to set broad policy parameters. An expert agency would then implement these policies by adopting specific standards or compliance requirements. This model has been copied for the last two centuries to deal with issues as divergent as consumer products, (CPSC) telecommunications (the FCC), financial management (SEC) and many others. The model assumes that the independent agents have adequate expertise to set effective standards or compliance requirements and that, when followed, the requirements achieve the goal be it safety, transparency or fairness. It also assumes that there are a stable set of standards or requirements that the agency can determine have been followed consistent with the broad policy parameters. Typically, regulated entities are audited to assess compliance with these standards.
The reasons these industrial-age methods are ineffective in cyberspace is largely because they were designed to address fundamentally different types of problems than we face today in cybersecurity.
These models essentially attempt to locate a static standard that assures safety wherever producers are in compliance. The key factor is that the subject being regulated is fairly stable. For example, cybersecurity is not like consumer-product safety. If a regulator was to set standards for automobile brake-pads, scientific analysis would be done to determine the appropriate amount of friction required to stop a vehicle of x size/y weight traveling at z speed. Over time the size of the vehicles and speeds they travel at may vary, but the math doesn’t change. So, a standard in this sense can be developed and reliably applied with penalties for non-compliance.
However, in cyber, the technology is constantly changing, as are the attack methods and new vulnerabilities are continuously being introduced or resurfacing. In other words, the target state for security is always moving. Clear standards, such as you would need for auto safety become outdated quickly. The typical notice and comment rulemaking process used to regulate most agencies and government institutions is not equipped to handle the ever-changing cyber landscape. Transitioning a proposed rule into an enforceable final rule can take several years and by the time it is finalized, it is likely the initial risk or vulnerability has adapted into something completely different.
In one recent example the Coast Guard published their Cyber Security Strategy concerning Cyber Risks at Maritime Transportation Security Act Regulated Facilities in 2015. They went through Notice and Comment in 2017and rules were made final in 2020. Five years is too long to develop rules for cyber security.
While the traditional regulatory model has proven effective through the industrial age and may even be helpful in isolated areas of cybersecurity, as will be discussed in later posts, generally speaking, it is inappropriate for the digital age.
None of this is to say that government, or even regulation, has no place in cyber security – it does. However, the mechanisms for developing the governance models and incentivizing adoption of effective practices needs to be far more flexible and dynamic than the antiquated regulatory models of the past couple of centuries.
It is a common misnomer that cybersecurity regulation has not been tried – it has, a lot. In tomorrow’s post we will examine evidence that years of cyber regulation have generated.
Join the Rethink Cybersecurity Community click here