Is Regulation the Answer for Improving National Security?

Cybersecurity regulation is hot. Recent and proposed laws in the U.S. hit the headlines every few months, shining a light on lax practices and mandating stronger due diligence from both product makers and technology users. 

Some cybersecurity experts say regulation is the only way organizations can be forced (or fined) into stronger defenses. Others point to the historical sentiment that compliance breeds a “checkbox” mentality, and that the requirements to meet compliance typically constitute minimum viable standards. 

Will regulation help entities achieve a hardened security state, or should builders and buyers hold themselves to a higher standard?

The White House released its first national cybersecurity strategy in 2003. The aim back then, as it remains today, was to provide a comprehensive framework that helped entities in the U.S. protect critical infrastructure. The 2018 National Cyber Strategy built upon the earlier guidance but accounted for the more-modern cyber threat ecosystem that existed at the time. 

With Executive Order 14028,  Improving the Nation’s Cybersecurity, published in 2022, the Biden administration kicked off a wave of even more current security requirements for government agencies and civilian agencies serving the Federal government. Several state and local government agencies followed suit, and industry standards organizations used the opportunity to further amp up their recommendations. In under two decades, since the first standards document was issued, the technology and cybercrime landscapes had evolved so dramatically that the 2003 guidance looked archaic.

Flash forward to March 2023: The Office of the National Cyber Director (ONCD), released the National Cybersecurity Strategy, signaling even more stringent requirements for government agencies and civilian agencies serving the government. The ONCD didn’t stop at government-related borders, though. While not under the government’s direct purview at this time, the Strategy put private sector businesses on notice; “What you do,” it says to the private sector, “impacts all of us. Get ready. Regulation is coming for you, too.”

The five pillars

The 39-page Strategy outlines five “pillars,” each of which is intended to feed new laws and regulation in the coming years but be flexible enough to account for changes in cyberspace, including technological and nation-state advancements. The pillars are:

1. Defend critical infrastructure

2. Disrupt and dismantle threat actors

3. Shape market forces to drive security and resilience

4. Invest in a resilient future

5. Forge international partnerships to pursue shared goals

Without getting too deep into the details, even the headlines make clear that this is not the cybersecurity guidance of old. Accountability is going to be key; the U.S. can expect to see new regulation that holds software providers to higher standards (in an effort to prevent Log4Shell-type attacks), and organizations will be urged (or required) to “stop passing the buck on cybersecurity” a warning floated by Cybersecurity Infrastructure Security Agency (CISA) Director, Jen Easterly, and Executive Assistant Director, Eric Goldstein, last year.

You can read the strategy document in full with the link provided, above. You can also read numerous articles published directly after its issuance to get various writers’ takes on what’s included. The question we pose today in The Reformed Analyst is: Is more federal regulation the answer to improving our nation’s cybersecurity?

So what?

The reality of the situation is that regulation can be a tool used to address cyber attacks, but it doesn’t solve the problem. Regulation rarely goes far enough or is fast enough to respond to the present-day landscape. It is encouraging to see the current administration working more closely with cyber experts and incorporating best practices in their guidance. But it is incumbent upon industry to keep pace with the latest tactics and techniques of cyber attackers — regardless of regulation — and take proactive measures to prevent attacks (when possible) and rapidly detect suspicious or malicious activity (when prevention isn’t possible). 

Cyber attacks are complex and multifaceted, and they involve various technological, social, economic, and political factors. Therefore, any blanket recommendation, whether it’s a requirement to architect to zero trust principles or a mandate to keep an updated asset inventory at all times, won’t solve every problem for every organization. There are too many parameters — including the people, processes, and technology deployed at every disparate organization — to say, “if you do X, you’ll be one step ahead of the attackers.” Regulation can provide guardrails for improving cybersecurity practices and mitigating cyber threats, but it is not a silver bullet. It won’t stop attackers in their tracks. Why? Because attackers don’t play by the rules. They are reading the regulations. They know where the boundaries are and they know that many entities, for a variety of reasons, won’t architect beyond what’s absolutely necessary as outlined by law.

Fundamentals

The Biden administration is promising greater numbers and stringency of cybersecurity regulations. Regulations are a small step in the right direction, especially if they focus on the implementation of security fundamentals such as encryption, multi-factor authentication, and regular security audits. As with the 2022 CISA mandate, regulation can also impose incident reporting and breach notification requirements, which can help organizations identify and respond to cyber attacks in a timely manner.

Fines

What’s more, regulation can introduce consequences for non-compliance, including fines, penalties, and legal liabilities. While the intent of these consequences is to incentivize organizations to take cybersecurity more seriously and invest in robust security measures, as we’ve seen with GDPR, some organizations simply make a business and/or financial decision to take a monetary hit rather than re-architect security controls. In some cases, the decision is, simply, based on resource allocation. In others, non-compliance is specifically decided upon in order to avoid deploying cybersecurity and privacy practices that limit the business’s ability to use data or systems in ways that lead to revenue generation. 

Fraternity

One of the main themes of the Strategy is information sharing and collaboration between public and private sector organizations. This is not a new theme; industry standards organizations and Federal agencies have previously put forth valiant efforts to erect confidential sharing mechanisms. While some of these efforts have effectively enhanced cybersecurity awareness, intelligence gathering, and incident response capabilities, many have fallen flat. In fairness, public-private information sharing and collaboration have improved over the years, but many in the private sector feel there is much more “give” than “take.”

The Strategy acknowledges (section 2.2) that “The private sector has growing visibility into adversary activity. This body of insights is often broader and more detailed than that of the Federal Government,” which unfortunately puts the onus on private sector entities, giving government an “easy out.” Luckily, many U.S.-based businesses are willing to put in the effort for the greater good; most whitehat cybersecurity professionals feel duty-bound to protect against adversary advancement.  

The wrap up

The National Cybersecurity Strategy demonstrates a positive focus on what is, without question, a national problem. Its intentions are good, and the ensuing regulation will likely be issued with similarly good intentions (after what’s likely to be silly and unnecessarily prolonged infighting by the houses of Congress, based on political party). However, even if the regulation is aimed at good, it will have limitations. Given how the passing of laws works in the U.S.,  regulation will trail the rapidly changing threat landscape and adversary tactics and techniques. Further, compliance with regulations will add costs and administrative burdens for organizations, which may prove problematic for small businesses, especially given the staffing shortage. 

While the government may be approaching cybersecurity as the national imperative that it is, forcing the hand of agencies and organizations with regulation is destined to come up short if entities fail to take a multi-layered, comprehensive approach, focusing first on fundamentals, then moving on to more advanced technological and risk-based approaches 

This is not an easy problem that can be solved with a few laws. Instead, it requires a combination of technical measures, best practices, employee training, incident response preparedness, and continuous improvement efforts — efforts that are taken regardless of fines or penalties.

While regulation can be an element of addressing cyber attacks, it is not the answer. It’s part of the answer. Agencies and businesses will need to continue to go above and beyond regulation, adopt best practices, and develop technology capabilities that rival adversary TTPs. Unfortunately, this is a matter of circumlocution; government needs to force the adoption of enhanced cybersecurity  for organizations to realize that regulation isn’t enough — just like it’s not enough for the government to make laws requiring seat belt usage or preventing drivers from handling their mobiles phones while driving.  

However, while some stubborn drivers still refuse to wear seat belts and put down their devices, maybe cybersecurity practitioners can see a better result for their organizations if they take a proactive approach — independent of government mandates and strategy documents. This, of course, ushers in more questions and problems with budget, staffing, and organizational influence, but those are other topics for other times.