It’s not news that cyber-attacks are increasing both in number and sophistication and that the increasing criticality of the attack methods demands increased attention especially with respect to critical infrastructures.
Also, due to the uniqueness of information systems, the speed with which attack methods and technologies change the traditional regulatory model has been deemed to be ill-suited for promoting effective security.
Of course, some industries – often in critical infrastructure sectors – operate in an economic model that is inherently tied to regulations and for these industries a regulatory approach could be the most sensible approach.
However, uncoordinated regulatory initiatives, sometimes driven by agency turf considerations rather than proven effective strategies, can be more dangerous for critical sectors – and the citizens they serve –than no regulations at all.
History shows us that cyber regulation is not a guarantee for increased security. For example, the healthcare industry’s information security practices have been regulated for more than two decades under the Health Insurance Portability and Accountability Act. And yet research has consistently demonstrated that the healthcare industry is among the very worst in terms of protecting its corporate systems and its patient’s personal health data.
We find a similar situation in financial services. The Financial Services Sector Coordinating Council reported in 2018 that 40 percent of financial institution CISOs’ time was spent on “compliance and reconciling competing, duplicative, redundant, and inefficient cybersecurity supervisory examinations.” Given the increasing seriousness of the cyber threat and the enormous scarcity of cyber security resources we simply can’t afford to be wasting 40% our scarce resources filling out the same forms repeatedly.
Perhaps ironically, the problem is not tied just to government regulations of the private sector. We are seeing virtually the same issue arise in government to government relations. According to the National Association of State Chief Information Officers, state CIOs must spend much of their resources answering multiple federal agencies that regulate and audit states’ information security practices. The state of Oklahoma, for example, devoted 43 percent of the total (does that percentage sound familiar?) available for cybersecurity on compliance-related activities.
Now industry sources and cybersecurity experts warn that energy companies are becoming incredibly targeted for cyber intrusions. Concerns about a potential disruption of American energy are causing policymakers to review whether government’s current approach to overseeing the natural gas and pipeline industry is appropriate. These policymakers need to learn from other sectors about how to – and how not to –approach regulating cybersecurity practices.
The American natural gas industry already answers to multiple federal regulators, including several components of the Department of Homeland Security (including Transportation Security Administration, the Coast Guard, and the Cybersecurity and Infrastructure Security Agency), the Department of Transportation (the Pipeline and Hazardous Materials Safety Administration), and the Department of Energy (Federal Energy Regulatory Commission). The natural gas industry is also regulated by state public utility commissions. These regulatory agencies are considering establishing new or expanding existing cybersecurity regulations. Some are calling for increased or reformed federal oversight of American pipeline’s cybersecurity, for example, following a December GAO report identified weaknesses.
This maybe a case where regulations need to be reviewed and updated. However, if this is to be done it needs to be done in a way that maximizes efficiency and effectiveness and aggressively weeds out redundancy and waste. We can’t afford to continue these haphazard cyber regulatory regimes when our goal is to assure security of critical infrastructure.