Regulation of Cybersecurity Has Been Tried and It Doesn’t Work

January 21, 2022

By Larry Clinton

The focus of the current series of posts is to suggest the need for new directions in cybersecurity policy.  Put succinctly, it’s not just that we need to do cybersecurity better – it’s that we need to do cybersecurity differently.

Why? Because we are getting killed out there. Cybercriminals generate roughly $2 trillion in economic harm – roughly the equivalent of the United States’ GDP. Yet, we successfully prosecute less than 1 percent of cybercriminals, and that doesn’t even reach the massive geopolitical threat raised by nation-state and state-affiliated attacks.

Notwithstanding these largely uncontested facts, government seems wedded to outdated regulatory models as their prime weapon in the “partnership” with the private sector designed to address the cyber threat. In public policy discussions, it is common for someone to raise the prospect of increased government regulation as the stick that will be used on industry if they don’t get their act together with respect to cybersecurity.

These conversations rarely focus on the far-greater need for government to get its act together, such as by improving law enforcement or developing an adequate cyber workforce – issues we have covered in previous posts.

What seems to be missed quite often is the fact that government regulation of cybersecurity has been going on for nearly two decades – and despite these “sticks,” the problem only continues to get worse.

It is a common misconception that cybersecurity regulation has not been tried. In their recent book The Fifth Domain, Dick Clarke and Robert Knake point out, “There is a mountain of cybersecurity regulation created by federal agencies. Banks, nuclear power plants, self-driving cars, hospitals, insurance companies, defense contractors, passenger aircraft, chemical plants, and dozens of other private sector entities are all subject to cybersecurity regulation by a nearly indecipherable stream of agencies including FTC, FAA, DHS, FERC, DOE, HHS, OCC, and so on.”

Examining some of the highlighted cases of cybersecurity regulation demonstrates the faulty nature of the model in this space. For example, Clarke and Knake point to the healthcare industry as one of the earliest and most heavily regulated industries for cybersecurity. However, the evidence shows clearly that regulation hasn’t worked.

Healthcare institutions were some of the first entities to be regulated for cyber under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Yet, they are one of the sectors that fares the worst when it comes to cybersecurity. Recent industry analysis found that successful cyber-attacks in healthcare increased by 71 percent since 2019. As John Schneider, Chief Technology Officer at Apixio, noted, “We shouldn’t look to HIPAA to provide guidance there, either. Expecting regulations to fix data security problems is unrealistic.”

ESI ThoughtLab found healthcare institutions ranked 11th out of 13 critical sectors in terms of average loss compared to revenue. Healthcare also ranked 11th of 13 sectors in terms of understanding cyber-risk using state-of-the art quantitative methods and 13th out of 13 sectors in terms of plans to increase spending. The study also found that healthcare institutions on average vastly underestimated the probability of a cyber breach, and less than half of the healthcare institutions had disaster recovery plans, cyber incident recovery plans or did regular cyber risk assessments or stress tests.

The ESI study also found the regulated financial services industry did better than healthcare but was empirically not the consensus industry leader in cybersecurity as might have been expected. In fact, among the 13 industry sectors ESI analyzed, financial services led only in terms of plans to boost spending (followed closely by the largely unregulated technology sector in second place). 

Financial services came out middle of the road in terms of losses compared to revenues and was equivalent to healthcare in terms of vastly underestimating the likelihood of a cyber breach. The financial sector was only slightly better than the healthcare sector, with just over 50 percent of financial institutions having disaster recovery plans, cyber incident and recovery plans, and conducting regular risk assessments and stress tests.

Overall, the ESI study found heavily regulated sectors like finance and health regularly ranked below generally unregulated sectors like tech, general automotive, and manufacturing sectors in several critical cybersecurity measures.

Even government officials charged with implementing cyber requirements in heavily regulated sectors like telecommunications have concluded that traditional regulatory efforts have proven to be inadequate, not because they haven’t been tried, but because they are the wrong tool for this problem.

The former Chairman of the FCC under President Obama, Thomas Wheeler – charged with regulating the vast telecommunications industry – and Retired Rear Admiral David Simpson both experienced working in the heavily regulated industries of telecommunications and defense and are experienced regulators themselves. 

They wrote for the Brookings Institution in 2019 that: “Current procedural rules for government agencies were developed in an industrial environment in which innovation and change – let alone security threats – developed more slowly.  The fast pace of digital innovation and threats requires a new approach to the government business relationship… As presently structured government is not in a good position to get ahead of the threat and determine standards and compliance measures where the technology and adversary’s activities change so rapidly. A new cybersecurity regulatory paradigm should be developed that seeks to deescalate the adversarial relationship that can develop between regulators and the companies they oversee.  This would replace the detailed compliance instructions leftover from the industrial era.”

The overwhelming evidence is that despite years and years of government regulation, the cybersecurity issue keeps getting worse. This leads to the obvious question – why are we still doing it, and why are we talking (incessantly) about doing more of it?

Perhaps the answer is as simple as our government partners simply don’t know what else to do.  To determine an alternative, it may be helpful to start by better understanding why the regulatory paradigm is not effective in this space.  With that answer, we may begin to evolve the new paradigm Wheeler and Simpson suggest. We will explore these issues in our next post.