March 15, 2023

The traditional regulatory model – when applied to cybersecurity – is actually anti-security.

For all the discussion around the Biden Administration’s new cyber strategy generating new regulations, this one simple fact remains. There is no evidence the cyber regs are working.

The real question is not so much how much new regulations there ought to be.

Rather, the question is how new the regulations ought to be.

In its recently released 2023 National Cybersecurity Strategy, The White House states “Effective regulations minimize the cost and burden of compliance, enabling organizations to invest resources in building resilience, and defending their systems and assets. By leveraging existing international standards in a manner consistent with current policy and law, regulatory agencies can minimize the burden of unique requirements and reduce the need for regulatory harmonization.”

Nice thought. Is there any evidence, anywhere, that that is true?

Spoiler alert: NO.

In his exhaustive review of the literature on cyber regulation in the classic book How to Measure Everything In Cybersecurity, Douglass Hubbard concluded that none of the ordinal scales, which are the basis of virtually all current cyber regulation (and there is a ton of that), has ever been shown to actually improve security.

That is a more polite way of saying all the previous cyber regulations have been a complete waste of time, since the ostensible reason for these regulations is that they will improve security. It follows then that more regs based on the same faulty assumptions will be an even bigger waste of time.

Of course, some regulators may not be bothered by wasting time of large companies doing cyber regulation.  After all, the feeling is, these are big companies and at least we are making them do something.

Such a philosophy is not only simplistic (not to mention arrogant), but it’s also counter-productive.

CISA Director Jen Easterly and Asst. Director Eric Goldstein are on the right pathway in their recent Foreign Affairs article where they assert, we need a new model for cyber regulation.

Imposing new cyber regulations following the traditional “checklist” of mandates model not only doesn’t work, but it actually diverts scarce resources and weakens our existing safeguards.

This problem is exacerbated when the – arguably useless—regulations are redundant or in conflict.

Numerous studies have indicated that we lack enough cyber security professionals. Estimates are that as many as 3.5 million cyber security jobs will be unfilled this year—750,000 in the US and 35,000 in the federal government alone. Moreover, as much as 40% of cyber budgets are wasted through unnecessary regulatory duplication.  According to GAO, the problem is even more acute at the state and local level with as much as 70% of federal cyber regulations on the states being redundant.

The result is that the few professionals we do have are already stretched thin due to the constant stream of ever more sophisticated attacks, are busy complying with regulations which have not only not been proven to work but are often redundant. This takes up time and resources that security practitioners could focus on their core security mission and diverts energies to the compliance regime – which has no proven security benefit.

Despite the fact that federal law requires that regulations be cost effective, the Administration has never fulfilled they requirement with regard to any cyber security mandates.

And when I say Administration, I mean, the Clinton Administration, the Bush Administration, the Obama Administration, the Trump Administration.

The Biden Administration’s new strategy at least recognizes the problem of regulatory overlap stating, “Where Federal regulations are in conflict, duplicative, or overly burdensome, regulators must work together to minimize these harms. When necessary, the United States will pursue cross-border regulatory harmonization to prevent cybersecurity requirements from impeding digital trade flows.”

That would be a great first step.  As House Homeland Security Chair Green and Cyber Subcommittee Chair Garbarino have wisely noted, this streamlining of cyber regulations needs to take place before new regulations are added to the mix.  Such a step would immediately free up 40-70% of current cybersecurity resources to be refocused on actual security practice.

But that is just the first step. The necessary next step is to reform the cyber regulatory process itself.

Again, the new national strategy seems to be pointing in the right direction, saying, “The strategy says, “ONCD will work with interagency partners to develop and publish an implementation plan… The plan will focus on assessing effectiveness, (and) calls for a “data-driven approach” to determine effectiveness with measurements on “investments made, our progress toward implementation, and ultimate outcomes and effectiveness of these efforts.”

Actually, this is essentially a restatement of current law, which does require regulations to be cost effective – it’s just a provision that government tends to ignore – we don’t have time for that anymore.  Moreover, the new model for cyber regulation needs to be – a new model. Not the same old model – check lists of government determined (and often not government followed – separate story) mandates.  Instead, if anything is to be required it ought to be a systematic process to assess entities unique cyber threat in empirical and economic terms consistent with the organizations business plan, along with risk management process, to effectively address that risk. Next week, the National Association of Corporate Directors and the Internet Security Alliance will be releasing its fourth edition of the Cyber Risk Handbook for Corporate Directors – in coordination with CISA and the FBI.  The handbook describes such a process.  In addition, it has been independently assessed and found to generate multiple actual security outcomes at low cost.  Following that tested process – as opposed to a list of untested technical mandates – should be the basis for the new regulatory model.