TRADITIONAL REGULATION (BEEN TRIED) WON’T WORK IN CYBERSPACE

January 12, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Doing the same thing over and over and expecting different results is the definition of insanity. —Albert Einstein

We initiated this series by documenting that we are failing to secure cyberspace largely because we have focused too narrowly on the operational and technical aspects of cyber and not enough of the strategic nature, and economic causes of the attacks. We then saw that one of our major adversaries, China, has developed a sophisticated digital strategy that integrates technical vulnerabilities with economics in a broad geo-political context that has been extremely successful  in achieving China’s strategic goals.  We then covered the fact that not only are the number of attacks and attackers growing but the very nature of cyber-attacks is evolving potentially leading to even more catastrophic system wide risks. At this point we will turn to analyzing the current, and long-standing, US approach to cybersecurity and assess why these tactics are proving insufficient to the task of providing the nation with a sustainably secure cyber system.

As before, we turn to Richard Clarke is  the former top cybersecurity advisor to both Republican President George W. Bush and Democratic President Bill Clinton and Robert Knake, President Obama’s Director for Cybersecurity Policy at the National Security Council and now a Senior Fellow at the Council on Foreign Relations for a description of the state of US Cybersecurity Policy as a baseline for our analysis.

In their 2019 book The Fifth Domain Clarke and Knake wrote:

“Since the Clinton Administration our cybersecurity strategy has changed very little…We return to the basic idea that companies that own and operate the internet and the things they connect to it… will be responsible for protecting themselves. Government’s role will be limited to support the private victims of cyber-attacks with law enforcement, information sharing, diplomacy and in the rare cases where it is both feasible and in the national security interest, military force.  Government will also play a role of helping industry help itself through nudges to encourage investment and cooperation in cybersecurity through research training convening and ultimately through regulation.”

It is worth noting that nowhere in Clarke and Knake’s description of USCG cyber strategy do the words “economic” “partnership” or “leadership” appear. We will argue that all three concepts need to be centrally located in a competitively effective cybersecurity policy.

Based on our previous analysis alluded to above it would be hard to seriously argue that the current approach has been even remotely successful. Analyzing our current tactics demonstrates why they are, as currently practiced, insufficient.

Perhaps the most common mantra for those becoming aware of the dire nature of our cybersecurity, and the ultimate tactic suggested by Clarke and Knanke, is to suggest that what is needed is a regulatory model for cybersecurity similar to that we have developed for consumer product safety or financial transaction. 

However, as we will demonstrate over the next few days, traditional regulation doesn’t work in cyberspace.

Presumably, in such a system, the federal government would prescribe a set of effective standards industry would have to comply with subject to independent audit with enforcement for lack of compliance including stiff penalties

Unfortunately, these suggestions reflect a fundamental lack of understanding of  the nature of the cyber security problem, it also betrays a lack of awareness of the extent to which regulation has already been tried – and largely failed. More importantly, it demonstrates a lack of realization that the traditional regulatory frameworks are fundamentally ill-suited to the digital age — a conclusion that has been reached even by those who have been put in charge of implementing such regulation.

Much of our traditional regulatory processes and judicial enforcement are designed to address malfeasance. However, the core problem with cybersecurity is not that the technology or the users are incompetent, uncaring or evil. The core problem is  technology is under attack not because the system is inherently vulnerable – although it is—but because there are overwhelming economic incentives to attack it. Certainly, technical modifications and operational enhancements which are the focus of cyber regulations may improve things on the margins, but after three decades focused on these aspects of the issue it is clear that the method regulatory models are not up to the task and only pile on more requirements to over-tasked security teams without corresponding effectiveness gains.

It is critical for policy makers not to simply knee-jerk to analog solutions to digital issues but to understand the basis behind these traditional approaches.  We will begin that analysis tomorrow before proceeding to discussing where traditional regulation has been tried to address cybersecurity issues (SPOILER ALERT)– it has been tried a lot) and how it has generally failed.  It’s also worth noting our conclusion will not be a threat if we eliminate cybersecurity regulation but rather modernize and substantially reform it – but first we will analyze the deficiencies in the current system so the reforms will be properly calibrated to the problem.

Join the Rethink Cybersecurity Community click here