A ONCE IN A LIFETIME OPPORTUNITY TO GET GOVERNMENT RIGHT ON CYBERSECURITY
PART III THE FASTEST (AND CHEAPEST) WAY TO IMPROVE CYBERSECUITY: REFORM REGULATION
This Congress could enact two, comparatively simple, administrative changes that would generate the biggest improvement in US cybersecurity in legislative history, and both cost virtually nothing.
This week the House Homeland Security Cyber Subcommittee will hold a hearing on eliminating the massive redundancies in existing cybersecurity regulation. This will be the latest in a long, very long, series of congressional hearings on this subject.
The numerous investigations into this topic, including the 2023 National Cybersecurity Strategy, all yield basically the same set of facts. Depending on which sector you analyze between 40-80% of existing (and inadequate) cybersecurity budgets are currently being wasted due to redundant regulatory compliance regimes.
THE TIME TO REFORM CYBERSECUITY REGULATION IS NOW
Our nation, government and industry, are under constant cyber-attack. Annual economic losses from cyberattacks is roughly $20 trillion. We don’t have nearly enough resources to properly defend ourselves. Meanwhile, we are — wasting vast amounts of the limited sources we do have with duplicative regulations – which have never been proven to improve security anyhow.
The time to act is now. No more studies, commissions, plans to create plans, or pilot tests. Congress needs to push aside the innumerable agency turf battles and streamline cyber regulation on our national security interest. After one House hearing last year Politico’s lead story said everyone knows cybersecurity regulation is redundant and needs to be reformed, but no one can agree on how to do it.
The first part of that headline is true, the second part is not. There is a fairly simple and direct way to quickly address the problem of regulatory redundancy, and an even simpler way to verify if the regulations work at all.
To deal with wasteful regulatory duplication, OMB, which has authority to pass on all federal government regulations, should simply require that any agency seeking to enforce a cybersecurity regulation certify that the regulation in question is not redundant to another regulation. OMB arguably already has this authority in Executive Orders issued under both the Clinton and Trump Administrations. However, putting that requirement into legislation is apparently needed and would resolve the issue regardless of which Administration holds the White House.
Actually, the idea that we can’t rationalize our cyber regulations because no one knows how to do it is a bit bazar and doesn’t speak particularly well of us in the cybersecurity community. At the end of the day streamlining regulation is just an administrative task.
There are some very hard problems to solve in the cybersecurity world. I’m not sure anyone knows what to do about AI, let alone the coming Quantum issues that might undermine virtually all of our current security technologies. But coordinating the regulatory apparatus is really just paperwork.
This is not to say that the process is necessarily easy, just that it is doable. And the onus on making it happen ought to lie with the entities that created the problem. Not to point fingers here – alright I’m pointing fingers — but this massive waste was created by our government. China didn’t do this to us.
For years regulators created mounds of new regulations without devoting adequate attention to the existence of similar regulations applied to the same targets by their collogues in other agencies. They have also been inadequately interested in the counterproductive negative consequences their regulations would have on the regulated entities – and our collective national security.
Moreover, whereas in previous times it might have been laborious work for regulatory lawyers, we now have advanced technologies, including Artificial Intelligence tools, that can be adapted to do this work fairly quickly and inexpensively, AI tools are already being used to address similar problems in other areas such as streamlining international trade agreements. We should be clever enough to do the same in cyber.
This does not mean we will turn over establishment of cyber regulations to the technology. The tools can be used to identify the areas of redundancies including between agencies (and even generate language to resolve them). OMB can then require the agencies, working with industry can resolve the redundancies by a date certain within 180 days or OMB will make the call. Thus, we can keep humans in the loop, but OMB would be empowered to make sure the duplication was accomplished and the needed resource freed up to address actual security issues instead of redundant compliance regimes.
THERE IS NO EVIDENCE THE REGULAITONS ENHANCE SECURITY ANYWAY
The first step in cybersecurity regulatory reform needs to be the elimination of the duplicative requirements thus freeing vast amounts of existing cybersecurity resources to do their job.
The next step needs to be to assure that he regulations – some of which have been in effect for many years — actually improve security.
The most sophisticated work regarding the methodology and impact of cybersecurity regulations is Douglass Hubbard’s book How to Measure Anything In Cybersecurity, Hubbard’s exhaustive analysis essentially concludes that there is no evidence any of the cybersecurity regulations improve security. The massive continuing growth in successful cyber-attacks despite mounds of regulations would seem to verify this finding.
Indeed, one of the most important lessons members of corporate boards of directors need to learn from their cyber education programs is that being in compliance with various cyber regulations does not mean that their organization is secure.
Not only do the regulations need to demonstrate that they improve security, but they also need to demonstrate that they do so in a cost-effective fashion. Even if cyber regulations did enhance security, if they don’t do so in a cost-effective manner the system is not sustainable. In such a case government needs to supply economic incentives to compliment the requirements.
Every Presidential Administration in the digital age has championed the need to create market incentives for cybersecurity, however, there has been virtually no effort to do so (the 2015 CISA Act being a notable exception).
Executive Orders dating back 30 years – and reinforced by recent Trump EOs — suggest that regulations need to be tested for cost benefit. EO 13636 which created the NIST cybersecurity framework (NIST CSF) upon which virtually all US regulations are based, specifically called for cost benefit analysis. Yet now, a dozen years after NIST CSF was created, there has never been any attempt to systematically test the NIST CSF, or the regulations based on it for either security effectiveness or cost benefit.
This is a space where government could learn from the private sector. While determining cost effectiveness does require careful design, it is a fairly routine process that is widely used in the private sector. Again not really easy, but defiantly doable. No private sector entity would let a program go for dozens of years without testing it for cost effectiveness. In fact, best practice in industry for several years has been to quickly analyze new programs within the first few months of deployment. Company’s routinely find that expectations for new programs – both positive and negative – are often not born out in actuality and it is best to make the minor changes sooner rather than later. A lesson government should learn.
Unfortunately, government, with no real budget limitations, has simply increased cyber regulations for decades without showing any success or even systematically assessing their progress to make minor repair let alone properly organize the system.
By simply practicing basic business practice such as eliminating bureaucratic redundancy, developing measures for cost effectiveness government has an opportunity to make significant strides toward improving our nation’s cybersecurity at virtually no cost.
