Rethinking Cyber Regulation Part II: Creating A Risk-Based Regulatory System

June 22, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

In our previous post, we noted that the new National Cyber Director’s office, which is charged with coordinating federal cyber policy, ought to begin that effort by evaluating and coordinating current cyber regulation. We pointed to studies (including government studies) that showed from 40 to 70 percent of federal cyber regulation – including those imposed on states and localities – is redundant and/or conflicting, thus wasting scarce cyber resources. 

This regulation is making a bad problem worse.

We suggested that not only should redundancy and conflict in existing regulation be rooted out, but also the effectiveness of the programs themselves be determined.  Einstein probably never really said, “Doing the same thing over and over is the definition of insanity,” but maybe he should have. In any event, it would be insane to continue doing things the way we are doing them and expect that all the sudden they will work.

As we stated in Part I, policymakers who want to promote increased regulation ought to be clear about exactly what they are trying to accomplish. They should include in their proposals methods to test and modify the regulations if they are not meeting clear goals.

We noted that the appropriate public policy goal of regulation is not “accountability.” It’s effectiveness.  Without including effectiveness, and cost effectiveness measures in regulatory proposals, we will likely continue the wasteful and ineffective system we have been promoting in much of critical infrastructure for most of the past two decades.

However, responsibility and accountability, while not the appropriate goal of cyber regulation, is an issue worth discussing. Who is and should be responsible and accountable for enhancing the cybersecurity system that is a shared resource between industry and government? Once the responsibilities and hence appropriate accountabilities are clearly and appropriately delineated, the model – including the regulatory model – should assure industry and government players both fulfill their responsibilities and are held accountable of they don’t.

According to the National Infrastructure Protection Plan written by the Obama-Biden administration, private companies “appropriately” assess risk on a commercial level, which is more risk tolerant than appropriate government risk assessment (everyone knows 5 percent of the inventory is “walking out the back door” – industry doesn’t hire more guards if it costs 6 percent).

Government has larger appropriate responsibilities. For government, security is not a cost of doing business. They have broader responsibilities such as national defense and running social programs. The problem is that, in the cyber context, government and industry are using the same system, and industry is now on the front lines of national defense. This cannot be accommodated with commercial-level security investment and cannot be sustainably borne by private entities who are responsible, in a market economy, to attract capital growth, maintain their business, provide services, create jobs, and fund the government’s tax base.

Industry clearly has a responsibility to provide a legitimate level of commercial security.  If, for national security reasons in the internet context, security needs to be provided above the commercial level, then it becomes government’s responsibility to do so.

Understanding that cybersecurity, especially of critical infrastructure, needs to be a joint responsibility, it is legitimate that government require that industry reach that appropriate level of commercial security. However, in the real world, that appropriate level differs from organization to organization. There is no one-size-fits-all set of adequate security measures that will assure all entities in a particular sector are fulfilling their responsibilities. 

In a market economy, what is responsible for each company is defined by that companies’ specific business plan. Government should not be asserting the right to demand companies fund security that is not consistent with their business plan (unless government is prepared to pay for the private entity to provide that national defense service). However, government is entirely within its rights to demand that private companies do fulfill their full commercial-level security responsibilities.  

How do we do that?

Fortunately, the private sector has already developed innovative, far-more-precise cyber risk assessments that can legitimately define cyber risk in empirical and economic terms consistent with each organization’s cyber risk and business plans. Visionary cyber regulation should demand that private entities conduct these more sophisticated cyber risk assessments and then fund the security measures required to appropriately assess these cyber risks.

Use of modern comprehensive cyber risk assessment programs that define an entity’s appropriate risk appetite on empirical and economic bases should replace the traditional checklists of requirements as the preferred regulatory yardstick.

As we have demonstrated in previous posts, the traditional regulatory paradigm, which is typically based on compliance with an extensive checklist of mandated requirements, is ill-suited for managing the dynamism of the cyber threat. Not only has it been shown to be costly and ineffective in sectors that have attempted to use it, but it also fosters mistrust and alienation among parties that need to be collaborating in a more strategic program of collective cybersecurity.

In earlier eras, cyber checklists were state of the art. However, in recent years, risk assessment models that enable organizations to conduct empirical and economics-based cyber risk assessments are now available and being widely adopted, including in critical infrastructure and the insurance industry. Models such as Factor Analysis of Cyber Risk (FAIR) and X-Analytics are a far more appropriate method for cyber risk assessment and these tools and similar tools should replace the antiquated checklists.

Moreover, the use of these tools in no way obviates the use of more standard frameworks such as NIST, ISO, SANS, and others.  The broader methodologies suggested here typically map to all the major frameworks. Use of these tools simply enable organizations to make more strategic use of the standard frameworks based on empirical and economic factors. This further enables industry and government to strategically determine how to best deploy scarce cybersecurity resources. Standard checklists do not enable needed economic prioritization.

All indications are that the market will be increasingly generating such tools, making them even more widely available, targeted, and affordable (some of the tools are already open source). The Department of Homeland Security has a modality under the SAFETY Act that can be used to designate and certify the models as qualifying for determining access to incentives.

Even in the most regulated sectors, such as finance and health care, the more contemporary model for regulation advocated here needs to be adapted. The regulated entity could reasonably be required to demonstrate that they have met that level of commercial security as determined by the sophisticated risk assessment tools certified by DHS under the SAFETY Act.

By calibrating cyber regulations on the use of these rigorous, empirical, entity-specific risk assessments, government will assure greater efficiency in cyber risk expenditures, thus enhancing overall ecosystem security. Moreover, these more precise assessments will properly enable the setting of risk appetites in accord with the organization’s legitimate business plan.

This will facilitate the use of the incentive models government may need to create to reasonably fill the gap between national level and commercial level security without bankrupting the federal government. Future posts will examine these incentive models more fully.

These modern cyber risk assessment techniques provide a clear measurement of the amount and type of market incentive that can be used to urge an organization to make security investments that go beyond their core commercial interests and meet broader national security needs if this is required.

Creating a structure that systematically addresses how to bridge the gap between legitimate industry spending on cybersecurity and the government’s needs is an important first step. Additional gains can be made by modernizing the process for addressing cyber risk in a truly collaborative, industry-government partnership as opposed to the current compliance-based punitive model.

Join the Rethink Cybersecurity Community click here