Should the Government Regulate Cybersecurity?

It has been famously said that, “the wheels of justice turn slowly.” That’s partly because the process most governments use when creating regulations and laws encourages debate, the careful examination of all sides of an issue, and the development of bartered consensus between groups with differing needs and opinions. In the modern era, this model has been very successful at promoting economic success while balancing personal freedom with social accountability.

This model is less effective, however, when it comes to regulating highly dynamic issues like cybersecurity. Networks, devices, applications, and services are changing at an exponential rate. Users and organizations are wrestling with threats on devices that didn’t even exist 18 months ago. So trying to codify cybersecurity regulations can be a lot like trying to paint a racecar as it zips around the track.

Which is why Australia is trying something new. Prime Minister Malcolm Turnbull last week announced a new $230 million cyber security strategy. Based on a year-long study of the industry, it focuses on closer collaboration between government, business, and individuals. It is comprised of three objectives:

1. Making Australians aware of cyber risks, and helping them secure their computers and take steps to protect their identities, privacy, and finances online
2. Helping Australian businesses operate secure and resilient information and communications technologies to protect the integrity of their own operations and the identity and privacy of their customers
3. Ensuring that Australian Government information and communications are secure and resilient

As a key component of Objective Two, the Australian federal government will offer cyber security 'health checks' to Australia's top-100 ASX-listed companies. It is also hoping to set up voluntary guidelines "co-designed with the private sector" to help organisations improve their cyber security resilience.

The announcement has received mixed reviews from industry experts. Some feel that the inherent risk of cybercrime and the costs of a public breach, combined with the desire to offset risk with new tools such as cyber insurance, will naturally drive organisations to create and adopt more aggressive cybersecurity standards.

Others are more skeptical. Most notably, this new strategy omits the mandatory reporting of security breaches, something required in places like the US and Europe. And some feel that without specific regulations, many organizations will delay critical security upgrades. They cite that many organizations are already aware of the risks, and still have substandard security implementations. Many are specifically concerned about those organizations that manage critical infrastructure, or where a cyber attack could put Australian citizens at risk, either financially or physically.

And this is where it gets tricky. Make regulations too specific, and the evolution of the technology will quickly outpace requirements. Make them too generic, and their ambiguity dilutes their effectiveness. And one size fits all standards are hard to impose across the entire spectrum of businesses. So what do we do?

Fortunately, there are models that have been pretty effective. The Payment Card Industry Data Security Standard (PCI-DSS), for example, targets a very specific business activity: the processing of credit card transactions. It has been globally adopted, the requirements are straightforward, and the penalties are severe enough to ensure compliance.
Other standards are designed to protect the privacy of individuals. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the US regulates the use and disclosure of protected health information. Many countries have adopted similar regulations designed to protect individual personally identifiable information (PII). Other regulations have adopted a strategy of holding corporate board members personally liable if a breach occurs in a publicly traded company and it is shown that the company failed to implement adequate security based on best practices in their industry.

Nothing motivates action or frees up budget quite like personal liability.

Regardless of the outcome of Australia’s new cybersecurity strategy, we can all agree on a few things:

1. There is a huge, and growing, security skills shortage, which makes planning, designing, implementing, and optimizing a security strategy increasingly difficult for many organizations.
2. Networks are becoming increasingly complex. It is not uncommon for organizations to have siloed security solutions from dozens of security vendors plugged in across their networks. This is not a strategy that can scale effectively for long.
3. A second set of eyes on your security environment, which includes things like an architectural review, penetration testing, and consulting services which help you clearly identify and prioritize a “get well” security strategy, are almost always far less expensive than a critical breach.