Cyber Regulations Are Counter-Productive to True Security

Posted on February 9, 2021 at 10:01 am

The old model simply doesn’t work. All this analysis is not to impugn the policy makers who created, or more precisely attempted to adapt it, to the cyber environment. Faced with the quickening apparent threat from cyber-attacks policy makers naturally went to their ‘go-to” option using the independent agency model designed to address the hot technology of the 19th century – railroads. It was pretty much all they had.


Some Reasons Why Cyber Regulation Doesn’t Work

Posted on February 4, 2021 at 1:47 pm

In previous posts we have documented that independent research shows that even the most highly regulated industries for cybersecurity such as health care and financial services are not achieving adequate levels of cybersecurity, and in fact don’t score better on security effectiveness than less regulated sectors like IT and professional services. We have also documented that even the highly regulated federal government sector scores poorly with respect to cybersecurity effectiveness.


WHY IS CYBERSECURITY INCLUDED IN THE COVID RELIEF BILL?

Posted on February 2, 2021 at 3:13 pm

As we all know in addition to massive death and social destruction the pandemic has also brought economic collapse on many dimensions. Our economy, like just about everything else, is ultimately reliant on cyber systems. If the purpose of the legislation on the Senate floor is COVID relief then that needs to include making sure our economy recovers and our economy cannot recover unless the core systems of the economy – which in the 21st century are cyber – also recovers.


If Government Can’t Regulate Itself, how can it Regulate Industry?

Posted on January 26, 2021 at 10:15 am

The foundational assumption of the expert agency regulatory model is that government knows what to do; all that is needed is to compel a recalcitrant private sector to follow government mandates. There is no evidence that government has attained that degree of expertise in cybersecurity. In fact, the data suggest the opposite.


NEW CYBER PRINCIPLE SPEAKS TO “SOLARWINDS” STYLE ATTACKS

Posted on January 25, 2021 at 3:33 pm

Today The World Economic Forum, in collaboration with the National Association of Corporate Directors the Internet Security Alliance and PWC is today publishing a new set of principles for boards of directors to follow in exercising their duty of cyber risk oversight. While a number of these principles will be familiar to those who have followed the ISA/NACD work one important additional principle has been added.


AN ADVERSARIAL REGULATORY MODEL IS ANTI-CYBERSECURITY

Posted on January 21, 2021 at 10:00 am

A major reason why we are not making progress in securing cyberspace – and we are in fact losing ground rapidly– is that for the most part we have mis-analyzed the issue as a case of traditional corporate malfeasance.


CYBERSECURITY IS EASY AS NIST — NOT!

Posted on January 20, 2021 at 10:00 am

Virtually any proposed solution to the cybersecurity problem that begins with the phrase “All you have to do” …. is almost certainly wrong. Despite what some marketers of their secret formulas and special sauce may claim, cybersecurity is a difficult problem to address sustainably.


SECURING THE CAPITOL—SECURING THE INTERNET

Posted on January 19, 2021 at 10:00 am

Yesterday was Martin Luther King Day.  Tomorrow is Presidential Inauguration Day.  Both days should be celebratory of one of our nation’s great heroes and our nation’s proud democratic tradition. Instead, Washington DC looks incredibly ugly today.  The barricades, the barbed wire, the fences, the National Guard, the weapons.  All this has turned one of the […]


A RISK-BASED APPROACH TO NATIONAL CYBERSECURITY

Posted on January 15, 2021 at 10:00 pm

ISA congratulates CISA’s National Risk Management Center, and Director Kolasky for this vitally needed initiative.  The SolarWinds attacks have brought to everyone’s attention the need to rethink how we are conceptualizing cyber-attacks.  As we have pointed out in numerous blogs over the past two months the SolarWinds attack is a paradigm shift that makes future […]


CYBER REGULATION HAS BEEN TRIED AND IT DOESN’T WORK

Posted on January 14, 2021 at 10:00 am

In previous posts we have argued that the traditional regulatory model is ill-suited to address the nature of threats we see in cyberspace. It is too slow, too reactive, static and it sets minimums when what we need is a dynamic model equipped to grow with the ever-evolving threat.