Cyber Laws and Regulations Make Sense but Must Be Strengthened

Posted on by Robert Ackerman

Almost everybody knows by now that many of our activities have become dependent upon computer systems, data networks and various electronic devices – and that the movement toward hyper connectivity confronts a relentless siege from constantly evolving cyber threats and vulnerabilities.

Most companies have their hands full, and far too many are being breached despite their sharply heightened focus on cybersecurity. So, what are governments doing about this, and is there any reason for optimism?

It doesn’t make a lot of news compared to breaches, but a fair number of laws and regulations have been passed in the United States, Europe and elsewhere, all fundamentally designed to force companies and organizations to better protect their systems and data from cyberattacks.

These include President Trump’s cybersecurity executive order (EO) last month, the Cybersecurity Act of 2015, the Cybersecurity Enhancement Act of 2014 and, in New York State, pivotal new cybersecurity regulations for banks and other financial institutions, the first of their kind in the nation. Europe, meanwhile, has passed the General Data Protection Regulation (GDPR), a method by which the European Commission intends to strengthen and unify data protection for EU citizens, plus address foreign export of personal data, effective May 2018.

The report card so far? It’s early in the game, to be sure, but it’s generally fair to say that these are more-or-less decent steps in the right direction, if off to a relatively feeble start. That’s why the Information Technology and Innovation Foundation has called Trump’s EO, for instance, “mostly a plan for the government to make a plan.”

Consider, for example, that Trump’s EO calls on federal agencies to share cybersecurity technology. Sounds good, but each agency is a gigantic silo with varying degrees of expertise, resources and sophistication. So the sharing will almost certainly be heavily resisted, slow the process down, and  lead to security holes in a hodgepodge network only as strong as its weakest link.

Trump’s EO also calls for the recommendation of future steps to secure U.S. infrastructure. Again, this is easier said than done. The U.S. electric grid, for instance, is wide open, designed to be functional but only minimally secure against cyber attacks.

 Reports this month by ICS experts Dragos Inc. and ESET about the use of highly sophisticated malware in an attack last December on a Ukrainian electric utility highlight the security vulnerabilities in critical infrastructure. What to do? I suggest codifying a level of cyber resiliency, accompanied by a methodology to test it. An industrial bank should also be formed to provide long-term financing and technical expertise to select utilities to ensure implementation of standards.  The Trump administration has yet to address these remedies.

The Cybersecurity Act of 2015 calls on businesses, government agencies and other organizations to share information about cyber threats with each other. The hope is that this will be better prepare them to identify and defend against cyber thieves. The Department of Homeland Security, the ring leader, can share the information with other government agencies and companies. So far, however, challenges are blocking progress. It remains murky how this information is to be shared, and many technology companies, fearful of insufficient consumer identity protection, aren’t participating. The provisions of the law are voluntary.

The Cybersecurity Act law does offer some inherent protection against lower-level cyberattacks. The notion of companies and governments sharing data about the “signatures” of cybersecurity thieves is worthwhile. These are digital trails showing where attackers come from and what their code looks like.

Overall, though, what is needed is the implementation of data protection technologies like encryption, the patching of outdated software and the strengthening of other cyber defenses. Even the sponsors of the law have admitted that it would not have helped against the highly destructive, allegedly North Korean-orchestrated attack against Sony in 2014. That attack, like many today, wasn’t based on previously known computer viruses or other malicious tools that companies and government could warn each other about.

The promulgation of cybersecurity laws and regulations underscores the importance of implementing a cyber regulatory framework. If effective, it would reduce the number of successful attacks and enhance a culture of cybersecurity. But, again, there is no shortage of roadblocks, including resistance and counterpoints regarding how laws and regulations should instead read. Then, too, there is the eternal debate between privacy and strong security.

Still another issue is that cyber technology advances rapidly. Required standards can easily lag technological advances. Laws and regulations should be at the forefront in responding to current and emerging cybersecurity issues. Too often, they are not.  Regulations should focus on outcomes -- not specific requirements that can become obsolete even before the “ink is dry” on relevant legislation.

New York’s cybersecurity regulations for financial institutions, implemented in March, are a good case in point. While. Gov. Andrew Cuomo showed foresight in pushing these through the state legislature, there are shortcoming that other states should weigh before considering the implementation of similar regulations.

On the surface, the rules seem fine. They outline strong security practices. They limit distribution of personally identifiable information, and they require multifactor authentication. They also stipulate that financial institutions test their cybersecurity systems.

One big problem, however, is the required frequency of testing. Regulations require system checks once a year. Given the reality of rapid change in digital systems and associated risks, this isn’t nearly enough. It falsely implies that systems should and will remain static for the given certification period. Meanwhile, the frequency and magnitude of changes within IT organizations continues to escalate, heightening the emergence of assorted vulnerabilities.

Are nations outside the U.S. faring any better in implementing effective cyber laws and regulations?  In fact, it’s too soon to say. In Europe, GDPR -- which will impact the processing and movement of the personal data of about 500 million citizens -- doesn’t become effective for almost another year. It could work out well: European nation-states already benefit from significant international cooperation on multiple fronts, including defense, security, intelligence and select trans-national cybersecurity organizations.

On the other hand, there are still plenty of challenges in persuading 28 sovereign nations to effectively abide by the rules in such a complex and fast-evolving arena as cybersecurity.  Notwithstanding signing on to GDPR, nation-states naturally tend to regard cybersecurity as an element of national, not trans-national, security.

For now, let’s be optimistic that GDPR will be effective. And decidedly a plus is the fact that the United Kingdom’s pending exit from the European Union – Brexit (short land for British Exit) – should not pose a problem. GDPR becomes law before the United Kingdom actually leaves the EU. And, too, GDPR is the easiest way to maintain cybersecurity protection and ease commercial ties between Britain and the EU.

The U.S. and the rest of the world need effective cybersecurity laws and regulations. The cyber threat is too big and complex and changes too quickly for individual entities to combat effectively on their own. But we have to make these laws and regulations more precise and effective – and, yes – more respected. After all, cyber attacks could play a key role in the future of warfare. If so, our side needs all the help it can get.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Security Strategy & Architecture

security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs