Not so long ago, the notion of introducing laws and other regulatory responses to address cyber security issues was regarded with significant hesitation by governments and policy makers. To some extent, this hesitation may well have stemmed from a general perception by those who do not work directly in the field that the world of cyber security is somewhat of a 'dark art'. More recently, however, there has been a substantial shift in this attitude, with proposals to regulate a range of cyber security related matters becoming increasingly numerous. This shift needs to be regarded with a degree of guarded pragmatism: regulation certainly has the potential to enhance attitudes to cyber security and ultimately security postures within nation states. However, if handled poorly, the effect of regulation may be to achieve the complete opposite.
A shift in the wind as security goes mainstream
Ostensibly, it seems a positive development that policy makers around the globe have begun to regard cyber security as a domain into which they are prepared to step and regulate in an effort to protect consumers, businesses and states from the harms that can flow from poorly secured IT hardware, software and processes. The USA and EU have been the chief domains of discussion in this regard, as the former continues to grapple with implementing a legal framework to facilitate security incident information sharing between government agencies and the private sector, while the latter moves toward implementing its Network and Information Security Directive. Other jurisdictions are also looking at implementing significant regulatory measures - for example, the German Bundestag has just passed an IT Security Act that prescribes minimum security requirements for operators of critical infrastructure and providers of telecommunications services.
This is in stark contrast to a period only a few years ago where it seemed there was little political appetite for regulating cyber security related matters. For example, in 2010, I served as an advisor in cyber security policy for one of Australia's major communications regulators during a period in which the Australian government had commissioned a national review into the growing threat of cybercrime. Among many others, a recommendation was made to the government by the committee overseeing the review that serious consideration be given to implementing a security testing and evaluation regime for IT hardware and software products sold to consumers. The scheme would potentially have been subject to regulatory oversight. The recommendation stemmed from a perception that the increasing degree of exploitation of security vulnerabilities in IT products by cybercriminals stemmed from and a lack of adequate testing by vendors of their products prior to release.
In addition, as part of a separate series of deliberations, a proposal was made by our agency to examine the feasibility of implementing a 'notice and temporary take-down' regime for Australian-based websites that had been compromised by malicious code through exploitation of cross-site scripting vulnerabilities. The proposal was made in response to the increasing use by cybercriminals of drive-by downloads as a malware delivery vector, and would have operated in a not dissimilar fashion to an existing co-regulatory regime in Australia that deals with the removal of access to various types of 'prohibited content' online.
Unsurprisingly, the regulatory aspects of both proposals were quickly consigned to the 'too hard' basket by the government of the day, and little progress was made on their further advancement.
Today's environment is clearly different perhaps in large part because of increasing mainstream coverage of cyber security issues - particularly in the context of major data breaches affecting the personal information of an ever larger number of consumers (the data breach that affected Target in 2013 immediately comes to mind, though obviously there have been many others). This growing public spotlight has seemed to transform political appetites such that the notion of applying regulatory levers to address cyber security issues has come to be seen as an increasingly realistic proposition.
A brave new world - tread carefully to avoid calamity
Yet as the formation of regulatory frameworks in the realm of cyber security gathers momentum, policy makers need to exercise appropriate caution and consideration in regards to the following areas:
1) whether specific security issues actually warrant regulation (e.g. whilst there seems increasing consensus that matters such as incident information sharing and critical infrastructure security should be regulated, does this apply more generally to matters such as the security of IT products sold to consumers?); and
2) the form regulation should take if it is deemed necessary (self-regulation, co-regulation, or prescriptive laws, or a combination?).
Indeed, divergent approaches have already emerged as to how to handle key issues such as the management of security around critical infrastructure assets - compare the proposed regulated approach of the European Union's NIS Directive with the entirely voluntary NIST Cyber Security Framework developed in the USA (noting that the North American Electric Reliability Corporation has developed mandatory security standards specifically for certain operators of electricity infrastructure). In these early stages, where regulatory frameworks around security are still in a relatively nascent stage of development, there will inevitably be some differences in the paths different jurisdictions decide to take. This is a natural corollary of there being little practical experience and precedent upon which to rely when assessing whether regulation is justified in response to a specific security issue and, if it is, the most appropriate form that regulation should take. To some extent, the experiences these divergent approaches provide will be necessary but valuable 'growing pains' that will enable regulatory frameworks in relation to cyber security to mature over the next several years.
Over time, it will be important that the lessons learned from these experiences are used as a platform by policy makers to develop a consistent framework for determining when regulatory intervention in cyber security matters is justified. Otherwise, there is a risk that regulation in specific cases could be excessive, and/or inappropriately tailored resulting in superfluous costs for organizations with little tangible benefit gained for society as a whole. This may in turn entrench a compliance mindset in which organizations principally see security as an 'expense' rather than an 'enabler' that can provide them with a competitive advantage. The danger of this, as most in the security field would attest to, is that a compliance mindset is the antithesis of what is needed to most effectively protect consumers, businesses and nation states from emerging cyber security threats. It encourages a 'bare minimum' rather than a proactive approach to security. Yet even today, there are many organizations that seem to regard security as nothing more than a compliance expense (I have recently been building my professional networks with senior staff at a range of technology related organizations in the USA, and regularly hear remarks to this effect).
Fostering a proactive culture to security within nation states doesn't only depend on prudent regulation. Messaging to consumers around security will also be key as their awareness of and interest in cyber security related matters increases. For example, informing consumers that a product they are considering buying is safe because it is secured against vulnerabilities X, Y and Z is an entirely different and less useful approach in fostering a proactive approach to cyber security by organizations than messaging that indicates a product is secure because it comes from an organization that has a strong 'culture' of cyber security (provided that isn't just a buzz word used by all and sundry with little oversight). The most effective way of conveying this to the average consumer (who may have no knowledge of standard security benchmarks such as ISO 27001, 27034, secure development life cycles and PCI DSS) is an important issue that will also need to be grappled with.
Conclusion
Finally, it's important to acknowledge the important work that is taking place at an international level to develop agreed upon norms of conduct in relation to the increasingly realistic proposition of cyber warfare between nation states. Whilst the above discussion is focused on regulatory responses to security issues that occur within a jurisdiction, the two discussions are not entirely disconnected. The establishment of norms around appropriate ways to regulate security issues at a domestic level - assuming there is some level of consensus that eventually emerges among states - may assist in developing consensus at an international level around whether specific types of conduct should be considered as justifiable, or inappropriate forms of cyber warfare. For example, if a majority of states adopt an internally consistent regulatory approach to how the security of critical infrastructure assets should be handled, this may in turn assist with shaping norms around how different types of offensive actions that occur against those assets by other nation states should be regarded.
The reality is that the cyber security field is entering a key phase in its relatively young history. Depending on how effectively this phase is handled by policy makers and regulators, there is a valuable opportunity to ensure that nation states move forward over the next several years with a strong and proactive security culture that will benefit their citizens substantially.
Written by Arun Raghu, Technology Policy Adviser