January 14, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

In previous posts we have argued that the traditional regulatory model is ill-suited to address the nature of threats we see in cyberspace.  It is too slow, too reactive, static and it sets minimums when what we need is a dynamic model equipped to grow with the ever-evolving threat.

It is a common misnomer that cybersecurity regulation has not been tried. As Clarke and Knake point out in their 2019 book The Fifth Domain “there is a mountain of cybersecurity regulation created by federal agencies. banks, nuclear power plants, self-driving cars, hospitals, insurance companies, defense contractors, passenger aircraft, chemical plants and dozens of other private sector entities are all subject to cybersecurity regulation by a nearly indecipherable stream of agencies including FTC, FAA, DHS, FERC, DOE, HHS , OCC, and on and so on.”.

We will now look at the empirical evidence and the testimony of the regulators who have tried to use it to demonstrate the faulty nature of the model in this space. For example, Clarke and Knake point to the healthcare industry as one of the earliest and most heavily regulated industries for cybersecurity.  However, the evidence shows fairly clearly it hasn’t worked.

Healthcare institutions were some of the first entities to be regulated for cyber under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Yet they are one of the sectors that fares the worst when it comes to cybersecurity. In fact, data breaches are the number one regulatory challenge facing the health care sector. Just because one is HIPAA compliant does not mean they are properly protected from cyber-attacks, which are increasing at an alarming rate due to the COVID-19 pandemic.  John Schneider, Chief Technology Officer at Apixio, noted, “we shouldn’t look to HIPAA to provide guidance there either. Expecting regulations to fix data security problems is unrealistic.”

One of the deficiencies of the regulatory model is that its goals are compliance and there is little incentive for entities to go beyond what the compliance standard is even if more is required to provide actual security effectiveness.  Said another way, compliance is helpful but not sufficient to combat today’s cybersecurity challenges.   In a recent comprehensive study, ESI ThoughtLab found that notwithstanding their long standing and heavily regulated nature for cybersecurity, health care institutions ranked 11th out of 13 critical sectors in terms of average loss compared to revenue from cyber-attacks.  Health care also ranked 11th of 13 sectors in terms of understanding cyber risk using state-of-the art quantitative methods and 13th out of 13 sectors in terms of plans to increase spending. The study also found that healthcare institutions on average vastly underestimated the probability of a cyber breach and less than half of the healthcare institutions had disaster recovery plans, cyber incident recovery plans or did regular cyber risk assessments or stress tests.

The heavily regulated financial services industry did better than healthcare but, again despite detailed cyber regulations, was not the consensus industry leader as might have been expected. In fact, among the 13 industry sectors analyzed financial services led only in terms of plans to boost spending (followed closely by the largely unregulated technology sector in second place). Financial services came out middle of the road in terms of losses compared to revenues, was equivalent to healthcare in terms of vastly underestimating the likelihood of a cyber breach and only slightly better than the healthcare sector with just over 50% of financial institutions having disaster recovery plans, cyber incident and recovery plans and conducting regular risk assessments and stress tests.

Overall, the ESI study found heavily regulated sectors like finance and health regularly ranked often below generally unregulated sectors like tech, general automotive, and manufacturing sectors in several critical cybersecurity measures.

Even government officials charged with implementing cyber requirements in heavily regulated sectors like telecommunications have come to the conclusion that traditional regulatory efforts have proven to be inadequate not because they haven’t been tried but because they are the wrong tool for this particular problem.

The former Chairman of the FCC under President Obama, Thomas Wheeler– charged with regulating the vast telecommunications industry — and Retired Rear Admiral David Simpson, both experienced working in the heavily regulated industries of telecommunications and defense, as well as experienced regulators themselves, wrote for the Brookings Institution last year that:

“Current procedural rules for government agencies were developed in an industrial environment in which innovation and change – let alone security threats – developed more slowly.  The fast pace of digital innovation and threats requires a new approach to the government business relationship… As presently structured government is not in a good position to get ahead of the threat and determine standards and compliance measures where the technology and adversary’s activities change so rapidly. A new cybersecurity regulatory paradigm should be developed that seeks to deescalate the adversarial relationship that can develop between regulators and the companies they oversee.  This would replace the detailed compliance instructions left over from the industrial era.”

Traditional regulation empirically doesn’t work, in fact as we will show later its actually anti-security as it wastes scarce cybersecurity resources.  It is an outmoded methodology for a modern problem.  However, if we are going to construct a modern governance system, we have to know not just that the current system doesn’t work, but why it doesn’t work (it’s more than speed) so we can design a newer more effective method.  We begin that with tomorrow’s post.

Join the Rethink Cybersecurity Community click here