Rethinking Cyber Regulation — Part I

June 18, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Last Thursday’s confirmation hearing for Chris Inglis and Jen Easterly renewed talk of the need for federal regulation over cybersecurity.

Of course, federal regulation for cybersecurity is certainly appropriate in some instances. However, too often “regulation” thrown out on the table by policymakers as if it were a panacea that will hold companies accountable for poor security.

If policymakers are going to talk seriously about cybersecurity regulation, they ought to be clear about exactly what they are talking about and why.

Are they proposing to regulate the hardware? The software? The end-user? All the above? Does that include government agencies who fail to protect their systems? If not, why not? Who exactly is going to write the regulations? Someone different than the agencies who write them now? How do we keep them current with sophisticated threats? Given the shortage of adequate cybersecurity personnel how do we assure requirements, like speedy (hasty?) mandatory reporting are not leveraged by the attackers to create distractions and divert scarce resources to a faux attack while launching significant attacks elsewhere in the system – a common tactic that would become more attractive under speedy reporting rules?

It’s also critical to be clear about why we are instituting the regulation.  The goal of cybersecurity regulation ought not to be, as often asserted, to assure “accountability.” It ought to be effectiveness. To hold people “accountable” for not doing things that would not have worked if they had done it themselves provides no legitimate public policy benefit.

As we documented in our last post, there are already a very wide range of federal cybersecurity regulations in existence, and there is no evidence that it works. In fact, recent independent studies show heavily regulated sectors do not fare better in terms of actual security than do less regulated sectors.

Any federal cybersecurity regulation needs to be subject to speedy and empirical cost benefit analysis. Regulations that are not achieving the goal of improving security (and there are several legitimate ways to measure that) ought to be modified or eliminated and replaced with better methods. (Actually, this is true for all regulation, but we will stay focused here.)

The presumptive new National Cyber Director Chris Inglis was a member of the Solarium Commission, and one of the Commission’s recommendation was to create a statistics bureau within the new Director’s office. If such an office is created the very first thing, they ought to do is collect statistics on the effectiveness of existing federal cybersecurity programs.

This is a space where the new Cyber Director Office can take a useful page from leading private sector organizations.  Leading private entities have increasingly been implementing agile management systems which reduce redundancy while increasing efficiency and effectiveness.  Agile organizational structures have been adopted by several major financial institutions specifically for their own cyber-crime prevention and response divisions – some of which are larger than the FBI’s similar offices.

One of the core characteristics of agile management systems is the speedy evaluation of programs after implementation.  Agile management encourages quick evaluation – often independent of the program’s implementation team, so that assumptions can be tested, unintended consequences can be discovered and modified.  Firms attempt to quickly discover where mistakes are being made and quicky modify them, and at the same time document what aspects of the new programs are working—perhaps beyond expectations — and these can be enhanced and possibly disseminated more broadly.

We don’t do anything like that with cybersecurity regulation. Instead, essentially the same model is simply maintained and expanded. It’s hard considering current evidence that these programs are adequate to the needs of either the public or private sector.

The new director’s office can, and should, take a fresh look at our overall approach to cybersecurity and encourage moving away from our historic focus on operations and technology (Including long check lists of operational mandates) and expand the vision of our cybersecurity efforts to make them more modern, strategic, and systemically evaluated. 

In fact, ill-considered cybersecurity regulation (even if well intended) can make things worse.  Just last year the CBO reported that as much as 70% of the federal cybersecurity regulation on states and localities was conflicting or redundant.  That means that the states and localities – already strapped for funds and cyber expertise – are wasting up to 70% of their cybersecurity budgets due to federal government mismanagement. Similar figures exist with respect to federal cybersecurity regulation of elements of the private sector.

The cybersecurity field is filled with intractable problems like securing long supply chains, fighting off nation states, addressing systemic attacks like SolarWinds, but the enormous waste of scarce cyber resources due to uncoordinated federal regulation is entirely a government created problem that the government can resolve if its willing to make the effort.

Physician, heal thyself.

Not only should redundancy and conflict in existing regulation be rooted out, but the effectiveness of the programs themselves needs to be established.  Einstein probably never really said doing the same thing over and over is the definition of insanity, but maybe he should have.  In any event it would be insane to continue doing things the way we are doing them and expect that all the sudden they will work.

Join the Rethink Cybersecurity Community click here