March 1, 2023

There is a is a common misconception that cybersecurity regulation has not been tried, and that, if only there was federal regulation of cyberspace, we would have a more secure environment. The facts don’t bear out this assertion.  In our next two posts, we will first lay out the empirical evidence that cyber regulation does not work and, then in the next post, discuss why this is the case.

In their recent book, The Fifth Domain, Dick Clarke and Robert Knake point out, “There is a mountain of cybersecurity regulation created by federal agencies. Banks, nuclear power plants, self-driving cars, hospitals, insurance companies, defense contractors, passenger aircraft, chemical plants, and dozens of other private sector entities are all subject to cybersecurity regulation by a nearly indecipherable stream of agencies including FTC, FAA, DHS, FERC, DOE, HHS, OCC, and so on.”

The obvious facts are that these cybersecurity regulatory models have not proven to actually increase security. In fact, government agencies, themselves, have difficulty complying with their own cyber security mandates. And even the most heavily regulated industries for cyber, when assessed empirically, don’t demonstrate greater overall security than the less regulated industries. 

For example, Clarke and Knake point to the healthcare industry as one of the earliest and most heavily regulated industries for cybersecurity. Healthcare institutions were some of the first entities to be regulated for cyber under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Yet, recent statistical analysis found that successful cyberattacks in healthcare have increased by 71 percent since 2019. As John Schneider, Chief Technology Officer at Apixio, noted, “We shouldn’t look to HIPAA to provide guidance there, either. Expecting regulations to fix data security problems is unrealistic.”

In their 2020 study of over 1,000 companies, ESI ThoughtLab found that healthcare institutions ranked 11th out of 13 critical sectors in terms of average loss compared to revenue. Healthcare also ranked 11th in terms of understanding cyber-risk using state-of-the art quantitative methods, and 13th in terms of plans to increase spending. The study also found that healthcare institutions, on average, vastly underestimated the probability of a cyber breach, and fewer than half of the healthcare institutions had disaster recovery plans, cyber incident recovery plans, or did regular cyber risk assessments or stress tests.

There is also some “common wisdom” that the heavily cyber regulated financial services sector is the industry model for effective cybersecurity.  While the financial services industry does lead in some aspects – such as money spent – the idea that regulation is proving successful in securing financial networks is not born out by independent research. The ESI study found that the financial services industry, while better than healthcare – not a high bar — was not the leader in cybersecurity as might have been expected.

Financial services came out in the middle in terms of losses compared to revenues and was equivalent to healthcare in terms of vastly underestimating the likelihood of a cyber breach. The financial sector was only slightly better than the healthcare sector in cyber planning, with just over 50 percent of financial institutions having disaster recovery strategies, recovery plans, and the scheduling of risk assessments.

Overall, the ESI study found heavily regulated sectors like finance and healthcare regularly ranked below generally unregulated sectors like tech, general automotive, and manufacturing sectors in a number of other critical cybersecurity measures. 

Even the federal government is failing to meet its own regulatory mandates.  The Government Accountability Office (GAO) research shows that there have been 712 recommendations in public reports since 2010, and, as of December 2022, the federal government had not met 150 of them. If the government cannot fulfill its own regulatory expectations, how can theyhold private actors accountable?

The overwhelming evidence is that, despite years and years the traditional model of government regulation, cyber insecurity keeps spreading to new fronts. This leads to the obvious question – why are we still relying on regulations, and why are we talking about doing more of it?

Of course, the fact that the 20th century model of regulation (actually it’s an 19 century model, but who’s counting?) doesn’t work doesn’t mean that all forms of regulation don’t work. Clearly certain privacy regulations such as notice of personal data breach and reparation make sense. CISA Director Jen Easterly and Eric Goldstein, in a recent Foreign Affairs article, call for a “new model” of regulation which is a promising pathway.  And, certainly, economic sectors wherein the core economics of the sector are based on a regulatory model (such as utilities) can be adapted to a form of regulation — and we will suggest some of these in upcoming posts. However, as we await a “new” cybersecurity strategy one would hope the new strategy would not turn out to be a case of meet the new boss, same as the old boss.

Traditional regulation doesn’t work in the digital age, and especially when we consider the sophisticated attack strategies of our adversaries (see previous blogs in this series) we need a truly new and more effective approach.

(Based on Fixing American Cyber Security: Creating a Strategic Public Private Partnership – Georgetown University Press 2023.)