Absent a few notable exceptions, traditional regulation has not worked to improve our cybersecurity. There are multiple reasons why it generally doesn’t improve security and is often actually counterproductive which we (ISA) describe in our recent book Fixing American Cybersecurity: Creating a Strategic Public Private Partnership (Georgetown University Press 2023) so, we won’t detail them here. Succinctly, the traditional regulatory model is a 20th century solution to a 21st century problem, and we are nearly a quarter century into the 21st century.
Notwithstanding the lack of much documented success, some still default to a primarily regulatory mindset, perhaps in part because they can’t think of anything better to do. Of course, the answer to that question is to find better things to do – not to keep doing the ineffective harmful thing.
There are some who criticize the Biden Administration’s new cybersecurity strategy as excessively regulatory. However, the degree of regulatory impact the strategy will have is entirely dependent on how it is implemented.
In the next series of posts, we will be outlining 25 ways the new national strategy can (and should) be implemented without resorting to the outdated models and in a cost-effective fashion. Since they are consistent with the goals and intents of the new strategy while being inexpensive, non-regulatory, and – dare I hope measurably to improve our security – the political calculus to enact these concrete steps might be there.
We will release our final set of recommendations for implementing the new strategy shortly. However, that will be a fairly lengthy document. We wanted to break down a number of our thoughts into more digestible bits in this blog series and get some input. We invite questions, comments, complements, and complaints (ok, invite complaints is overstated).
Our intent is to run the posts daily through September and into October – Cyber Month. Below are the working titles for the blogs which may or may not be the final title and they may not be in this order. They will also be on the ISA website.
So, what do you think?
BLOG 1 “20 STEPS TO FIX CYBERSECURITY WITHOUT CREATING NEW REGULATIONS”
BLOG 2 GOOD FIRST STEP IN NEW CYBER STRATEGY, TRIPS UP ON THE SECOND STEP
BLOG 3 OMB CAN QUICKLY STOP DUPLICATIVE CYBERSECURITY REGULATIONS – IT SHOULD
BLOG 4 GOVERNMENT HAS NEVER COMMITTED TO PUBLIC PRIVATE PARTNSERSHIP – IT NEEDS TO
BLOG 5 CURRENT CYBERSECUITY PROGRAMS ARE NOT “PERFORMANCE BASED” – THEY OUGHT TO BE
BLOG 6 THE CYBERSECURITY REGULATORY MODEL IS UPSIDE DOWN AND NEEDS TO BE REPLACED
BLOG 7 CYBERSECURITY MANDATES NEED TO BE BASED ON EMPIRICAL ECONOMICS AND EFFECTIVENESS
BLOG 8 SEVEN PRINCPLES NEEDED FOR SECURITY BY DESIGN N AND DEFAULT TO FOLLOW
BLOG 9 TEN BEST PRACTICES FOR CYBERSECURITY BY DESIGN AND DEFAULT
BLOG 10 POSSIBLE MARKET INCENTIVE PROGRAMS TO PROMOTE SECUITY BY DESIGN AND DEFAULT
BLOG 11 THE MILITARY’S ROLE IN FIGHTING INTERNATIONAL CYBER CRIME NEEDS TO BE MODERNIZED
BLOG 12 CMMA NEEDS TO BE CONTINUALLY REFINED
BLOG 13 LESSONS THE PRIVATE SECTOR CAN SHOW GOVERNMENT IN FIGHTING CYBER CRIME
BLOG 14 ADAPTING THE CIVIL FORFITURE MODEL CAN HELP LAW ENFORCEMENT FIGHT RANSOMEWARE
BLOG 15 THE US NEEDS A DEDICATED FOCUS ON “DIGITAL TRANSFOMATION” (LIKE OUR ADVERSARIES)
BLOG 16 AN ECONOMICS APPROACH TO SECURING CRITICAL INFRASTRCUTURE FROM CYBER ATTACK
BLOG 17 THE NEED TO DEVELOP THE FIRST ECONOMICS MODEL FOR CYBERSECURITY
BLOG 18 A MODEL FOR CREATING MARKET INCENTIVES IN CYBERSECURITY
BLOG 19 ADDRESSING SYSTEMIC CYBER RISK THORUGH MARKET DOMINANCE
BLOG 20 THE NEED FOR GOVERNMENT TO (REALIZE) IT IS THE CYBERSECURITY BACKUP
BLOG. 21 THE NEED FOR A NATIONAL, VIRTUAL, CYBERSECURITY ACADEMY
BLOG 22 A NATIONAL VIRTUAL CYBRSECURITY ACADEMY IS COST EFFECTIVE
BLOG 23 THE SAFETY ACT CAN VALIDATE NEW CYBERSECURITY MODELS FOR REGULATION
BLOG 24 ALL FEDERAL CYBERSECURITY PROGRAMS NEED TO BE ASSESSED FOR COST BENEFIT ANALYSIS
BLOG 25 HOW TO ENHANCE THE ECONOMICS OF CYBERSECURITY FOR SMALLER BUSINESSES
FOR GREATER DETAIL ON THE ISSUES DISCUSSED IN “TWENTY-FIVE STEPS TO IMPROVING SECURITY WITHOUT NEW REGULATIONS” SEE FIXING AMERICAN CYBERSECURITY: CREATING A STRATEGIC PUBLIC-PRIVATE PARTNERSHIP (GEORGETOWN UNIVERISTY PRESS 2023)