We Can Not Expect Cybersecurity Regulation to be the Solution.

There are too many moving parts and too many conflicting interests to make effective regulation the silver bullet.

Due to the volatility, force and pace with which technological innovation is moving through the global economy, cyber risk has become the biggest contemporary threat to all actors, especially private enterprise.

Taking a regulatory perspective must be a key part of any overall successful strategy. However, as regulations are growing increasingly complex, doing the minimum in compliance is not enough anymore. It is evident, more and more, governments and customers will view a provider’s security posture less from a compliance perspective and more as a competitive differentiator. A provider of products and services will have to consider compliance simply as the ante to earn the right to compete in the marketplace.

Drivers for regulations are most abundant in Financial Services; Healthcare; Telecommunications; Critical Infrastructure and Government systems.

Despite high profile breaches — from Target to Yahoo — legislation to toughen data protection standards hasn't gained traction, but it's not for lack of an effort.

A search for "cyber security" yields 141 pieces of legislation — including bills and amendments — that have gone before the 115th Congress with those words in the title or body and cover a variety of areas.

Given the current focus of the Administration to “deregulate” and a partisan Congress, it is less likely that sweeping national new regulation will be realized over the next two years. This means that the States (like what we are seeing from California, Maryland and New York) will be driving a great deal of the regulatory changes. It is more than fair to say that regulation alone does not make any system more secure. Coming to terms on consistent metrics will be key. One cannot manage what one cannot measure.?

The Challenge in Cybersecurity Regulation

Cybersecurity is a fast-morphing mix of adapting new behaviors in people to new ways of doing things and with even newer technologies. This means that making any assumptions about what regulations will be needed six days; six weeks; and six months from now is more than problematic. Most legislation is initiated well after the fact and driven by a wave of litigation and special interest lobbying. Meaningful cyber warfare requires a more expeditious approach.

To regulate something, you must know all the players; the expected and desired actions of each of the players and the mutually agreed upon desired outcome. To leverage the sports metaphor, we know the right number of players in the game; their positions relative to one another and what it means to score a point.

In the cyber world, we can’t know all the players; we cannot predict “how” they will arrive to play; whether they come to “score points” or to simply disrupt the game; and the rules, as outlined, are merely guideposts for what to avoid. And, currently, only one team plays offense and the other defense, throughout the competition. This game never ends.

In order for citizens, governments, and industries to be able to begin to effectively regulate cybersecurity, we must find a common definition of terms; a comprehensive series of meaningful metrics; a consensus on approach; a consistent application across geographies; a constructive incentive scheme and a crushing global deterrent.

The current internet infrastructure and regulatory frameworks are poorly tailored to keep pace with the evolution of the internet and the digital realm in general. A very significant number of NIST publications are in the process of being revised, rewritten and/or retired based on the introduction of new technologies and the obsolescence of others…and most of these publications were mostly written since in this millennia. NIST Special Publication 800-53 Rev. 1 was published in 2008.

Therefore, a majority severely lag behind present technology and threat level awareness. This is because the internet infrastructure was not designed to cope with present data quantities and the myriad of actors challenging the very scope and content of it.

Cyber security legislation and compliance – if come into force – is ever-shifting. Consequently, it is crucially important that companies anticipate tomorrow‘s regulatory environment. In particular, when they are active in multiple jurisdictions, it is fundamental to systematically track evolving laws and regulations in order to be able to respond to legal and political challenges on time.

To Anticipate What Will Need Regulating

Regulations become dated the moment they are placed into effect. Trying to anticipate where regulation will be needed can be driven by what trends in technologies we can forecast.

These trends bring together technologies with the potential to initiate lasting transformation in the digital ecosystem, which we define as all of the infrastructure, software applications, content, and the social practices that determine how the ecosystem is used. The largest trends are as follows:

1. Cloud computing

2. Big data

3. The Internet of things

4. Mobile Internet

5. Brain-computer interfaces

6. Near-field communication (NFC) payments

7. Mobile robots

8. Quantum computing

9. Internet militarization/weaponization

10. Blockchain and open journaling technologies

11. Crypto Currencies

A Consensus on Predictions that will Impact Cybersecurity

1.?????While Governments and Private Enterprise Slowly invest In Artificial Intelligence to support Cyber security, Attackers will aggressively invest in AI to aid in their attacks.

2.?????Growing 5G Deployment will open up a new dimension in cyber-attack surfaces

A number of 5G network infrastructure deployments kicked off this year, and 2019 was shaping up to be the year of accelerating 5G activity. While it will take time for 5G networks and 5G-capable phones and other devices to become broadly deployed, growth will occur rapidly. IDG, for example, called 2019 “a seminal year” on the 5G front, and predicted that the market for 5G and 5G-related network infrastructure will grow from approximately $528 million in 2018 to $26 billion in 2022, exhibiting a compound annual growth rate of 118 percent.

Over time, more 5G IoT devices will connect directly to the 5G network rather than via a Wi-Fi router. This trend will make those devices more vulnerable to direct attack. For home users, it will also make it more difficult to monitor all IoT devices since they bypass a central router. More broadly, the ability to back-up or transmit massive volumes of data easily to cloud-based storage will give attackers rich new targets to breach.?

3.?????IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous Forms of Attack

4.?????Attackers will increasingly Capture Data in Transit

Since 2019 and beyond, we can expect increasing attempts to gain access to home routers and other IoT hubs to capture some of the data passing through them. Malware inserted into such a router could, for example, steal banking credentials, capture credit card numbers, or display spoofed, malicious web pages to the user to compromise confidential information.

5.?????The Supply Chain will Become (more than it already has) an Attack Target

An increasingly common target of attackers is the software supply chain, with attackers implanting malware into otherwise legitimate software packages at its usual distribution location.?Such attacks could occur during production at the software vendor or at a third-party supplier. The typical attack scenario involves the attacker replacing a legitimate software update with a malicious version in order to distribute it quickly and surreptitiously to intended targets. Any user receiving the software update will automatically have their computer infected, giving the attacker a foothold in their environment.

These types of attacks are increasing in volume and sophistication and we could see attempts to infect the hardware supply chain in the future.?For example, an attacker could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS before such components are shipped out to millions of computers. Such threats would be very difficult to remove, likely persisting even after an impacted computer is rebooted or the hard disk is reformatted.

6.?????Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory Activity

The European Union’s mid-2018 implementation of the General Data Protection Regulation (GDPR) will likely prove to be just a precursor to various security and privacy initiatives in countries outside the European Union. Canada has already enforced GDPR-like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to enter into force in 2020. Singapore and India are consulting to adopt breach notification regimes, while Australia has already adopted different notification timelines compared to GDPR. Multiple other countries across the globe have adequacy or are negotiating GDPR adequacy. In the U.S., soon after GDPR arrived, California passed a privacy law considered to be the toughest in the United States to date. We anticipate the full impact of GDPR to become clearer across the globe during the coming year.

At the U.S. federal level, Congress is already wading deeper into security and privacy waters. Such legislation is likely to gain more traction and may materialize in the coming year. Inevitably, there will be a continued and increased focus on election system security as the U.S. 2020 presidential campaign gets underway.?

While we’re almost certain to see upticks in legislative and regulatory actions to address security and privacy needs, there is a potential for some requirements to prove more counterproductive than helpful. For example, overly broad regulations might prohibit security companies from sharing even generic information in their efforts to identify and counter attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities even as they close others.

CONCLUSION

There are cries to regulate the disruptive tech giants to include Google, Amazon, Twitter and Facebook. Not only are their business models being scrutinized but the pervasiveness of their emerging connected environments (auto driving vehicles; artificial intelligence; Internet of Things; telecommunications and more!) challenges the idea of effective self-regulation.

Not to make a political statement but, in this next two years under an administration bent on Deregulation (as we have seen with many consumer protection laws; environmental and financial services regulation) and with partisan divisions, we are less likely to see any major sweeping national regulations get through Congress. This will mean that the individual States (as we are seeing with California, New York and Maryland) will drive more regulating strategies.

Final thoughts

Perhaps redundantly, it has to be stressed that cybersecurity should not and cannot be driven by regulation. Regulatory relief comes too late. The drivers of innovation and inventiveness come from business drivers and the strong desire to “be first!” in a competitive society.?