October 18, 2023

Introduction by ISA President Larry Clinton

Many people new to the cybersecurity issue often suggest that what is needed is a strict regulatory model. 

However, as Richard Clarke and Robert Knake, two of the most experienced and well-respected experts in the field of cybersecurity, point out in their book The Fifth Domain, “There is a mountain of cybersecurity regulation created by federal agencies. Banks, nuclear power plants, self-driving cars, hospitals, insurance companies, defense contractors, passenger aircraft, chemical plants, and dozens of other private sector entities are all subject to cybersecurity regulation by a nearly indecipherable stream of agencies including FTC, FAA, DHS, FERC, DOE, HHS, OCC, and so on.” 

Presumably, in such a system the federal government would prescribe a set of effective standards that industry would have to comply with, subject to independent audit and enforcement for lack of compliance, including stiff penalties.  

Unfortunately, this suggestion demonstrates a fundamental lack of understanding of the nature of the cybersecurity problem. It also highlights lack of awareness of the extent to which regulation has already been attempted, and where it has found little success. More important, it demonstrates the failure to realize that the traditional regulatory frameworks are fundamentally ill suited to the digital age—a conclusion that has been reached even by those who have been put in charge of implementing such frameworks (LINK).  

The foundational assumption of the expert agency model is that government knows what to do; all that is needed is to compel a recalcitrant private sector to follow government mandates. However, there is no evidence that the government has attained that degree of expertise in cybersecurity. In fact, the data suggest the opposite.   

For example, the healthcare industry has long been one of the most heavily regulated sectors for cybersecurity in the nation. Yet, it is well-known that the health care sector is also one of the worst when it comes to managing cyber risk. In a recent comprehensive study, ESI ThoughtLab found healthcare institutions ranked 11 of 13 critical sectors in terms of average loss compared to revenue. The healthcare sector also ranked 11 of 13 sectors in terms of understanding cyber risk using state-of-the art quantitative methods and 13 of 13 sectors in terms of plans to increase spending. The study also found that on average healthcare institutions vastly underestimated the probability of a cyber breach and that less than half of the healthcare institutions had disaster recovery plans or cyber incident recovery plans or did regular cyber risk assessments or stress tests.   

It is often suggested that the heavily regulated financial sector is one of the best for managing cyber risk, but again the data doesn’t bear that out. The ThoughtLab study found that the financial services industry but was empirically not the consensus industry leader, as might have been expected. In fact, among the 13 industry sectors analyzed, financial services led only in terms of plans to boost spending (followed closely in second place by the largely unregulated technology sector). This is consistent with the general understanding within the industry that regulations spur increased spending but not necessarily increased security. Financial services came out in the middle of the road in terms of losses compared to revenues: it was equivalent to healthcare in terms of vastly underestimating the likelihood of a cyber breach and was only slightly better than the healthcare sector in terms of cybersecurity effectiveness, with just over 50 percent of financial institutions having disaster recovery plans and cyber incident and recovery plans and conducting regular risk assessments and stress tests.   

Overall, the ESI study found that heavily regulated sectors like finance and healthcare regularly ranked below generally unregulated sectors like the tech, general automotive, and manufacturing sectors in several critical cybersecurity measures.  

This failure is not contained to the private sector, even heavily regulated government agencies struggle with cybersecurity regulation. The SolarWinds attack of 2020 compromised multiple significant government agencies, including DHS, and the government was completely unaware of the attack until informed by private sector victims. An April 2020 report from the Government Accountability Office (GAO) on the Defense Department’s cybersecurity found that the Pentagon had not even fully implemented its own initiatives and practices related to improving cyber hygiene, leaving the department in the dark as to how and when to respond to breaches.   

According to the report, “The department does not know the extent that cyber hygiene practices have been implemented to protect DOD networks from key cyberattack techniques.” A 2019 US Senate Investigations Subcommittee review of agencies’ cybersecurity compliance with NIST standards found 88 percent of them failed to properly protect personal identification information, 63 percent did not have an accurate list of their IT assets, and 75 percent did not install security patches. More broadly, a 2019 GAO report found: The White House Office of Management and Budget and DHS examined the capabilities of 96 civilian agencies across 76 cybersecurity metrics and found that 71 agencies had cybersecurity programs that were either at risk or at high risk. The assessment also stated that agencies were not equipped to determine how malicious actors seek to gain access to their information systems and data.  

If even the government cannot make the current cybersecurity regulatory model work for themselves, how can it be expected to top regulate the vast private sector?  

Of course regulated industries will need some form of regulation for cybersecurity.  The question is not should these entities be regulated, but does the regulation actually work.  The data – some of which spans decades at this point clearly shows the current regulatory model is not the right model.  In our next series of posts we will articulate an alternative model that should replace the wasteful current model.