March 6, 2023

The new National Cybersecurity Strategy released last week calls for intensified federal regulation on IT providers, while presumably shifting regulatory focus away from technology users (we will see what the regulatory agencies and the SEC has to say about that last part).

The strategy asserts “regulation can level the playing field enabling healthy competition without sacrificing operational resilience,” but doesn’t explain how the strategy would accomplish that – or even what exactly they mean by “leveling the playing field.”

The glass half-full interpretation of the regulations proposed in the new strategy is that the regulatory model – i.e., what “regulation means or how it is carried out –itself will be altered.

To its credit the strategy states “our strategic environment requires modern nimble regulatory frameworks for cybersecurity tailored for each sectors risk profile harmonized to reduce duplication, complementary to public and private collaboration and cognizant of the cost of implementation.”

If the strategy actually fulfills that promise and creates a streamlined regulatory process that realistically factors in and accounts for the costs of the regulations this could be a watershed moment in the necessary industry-government partnership.  Industry is not opposed so much to government mandates, what is unworkable are unfunded, redundant, and ineffective mandates.

Unfunded, redundant, and ineffective is an accurate description of current cybersecurity regulation.  If that model is to be replicated and intensified the strategy itself will be not only unhelpful but counterproductive. 

As we have indicated in previous posts government regulation of cyber issues has been going on for nearly two decades and, despite these regulations the problem only continues to get worse. In our previous post we laid out the empirical evidence that the current form of cyber regulation does not work and there are good reasons why it doesn’t.

Traditional regulation is based on the independent agency model, which was initiated with the Interstate Commerce Commission (ICC) in the 1880’s to deal with the hot technology of the time: railroads. This model essentially calls for elected officials, such as Congress, to set broad policy parameters. An expert agency would then implement these policies by adopting specific standards or compliance requirements.

To begin with, traditional compliance is essentially a backward-looking, pass-fail paradigm. Cybersecurity, on the other hand, is a forward-looking risk management issue.

In a compliance model, you typically check off boxes indicating what you have done. You have either filed your forms on time or not.  You have met the mandated industry requirements or not. You are in compliance, or you are out of compliance. Pass-fail.     

Cybersecurity is not pass-fail. You are not secure or insecure.  Security is a continuum with incremental gradations. Entities, even within a single industry sector, may have differing security needs or face a wide spectrum of threats. As a result, a traditional check-the-box compliance system is inappropriate for the cybersecurity domain.

The new national strategy suggests that the new model of regulation will be tailored to individualized sectors.  This, too, is an outdated construct.  Security spending decisions, like virtually all private sector decisions are not made by “sectors.”  They are made by individual companies based on their unique business plans.  A more sensible new regulatory model – such as the proposal we make in Fixing American Cybersecurity would define a process each entity would be expected to go through defining their cybersecurity program as it aligns to its business plan. Organizations would be expected to self-fund security up to that empirically determined commercial level – that is their corporate responsibility. 

Security above that empirically determined commercial level, which may be required for national security purposes, would be compensated by the government as national security is a governmental responsibility.

The industrial age methods are ineffective because they were designed to address fundamentally different problems from those we face in cybersecurity. The model attempts to locate a static standard that, for example, assures consumer safety whenever producers are in compliance. The key factor here is that the subject being regulated is fairly stable. However, cybersecurity is not like consumer product safety.

In cyber, the technology is constantly changing, as are the attack methods.  New vulnerabilities are continuously re-surfacing or being introduced. In other words, the target state for security is always moving. Clear standards, such as those needed for automobile safety, become outdated quickly. The typical notice and comment rule-making process used for regulation by most agencies and government institutions is not equipped to handle the ever-changing cyber landscape. Transforming a proposal into an enforceable final rule can take several years, and by the time it is finalized, the initial vulnerability has evolved into something completely different.

A more flexible, entity-based, regulatory model is a better fit for the fast-paced digital age and would help define, empirically and economically, the basis for the required government industry partnership which could create a sustainably secure cyber system.

(Adapted from Fixing American Cybersecurity: Creating a Strategic Public-Private Partnership.)