The cyber regulation wave is coming
It is unclear whether the intensive regulatory activity related to cybersecurity will improve the current state of things, but the potential for unintended consequences is increasing as already scarce resources will need to be directed towards compliance, potentially even decreasing overall security.
Duplicative certification and compliance efforts will also abound: companies will need to navigate the different reporting standards in the EU, USA, Australia, and elsewhere, especially around how quickly a cyber incident must be reported - from 6 hours in India, 72 hours in the EU under GDPR, or four business days in the US, and often many variations in each country since there is a flood of regulations coming out of diverse agencies.
It's also unclear what a cyber "incident" is, as each one can trigger reporting requirements under the new policy initiatives. By one official definition, it only requires an action that “imminently jeopardizes” a system or presents an “imminent threat” of violating a law. But what if an attacker tries a brute-force attack to log in but is denied because they've not guessed the password? Is each phishing email an incident? Or a denial of service attack? There is not much clarity on these issues as the policymakers themselves are not sure.
In a recent article on Harvard Business Review, Stuart Madnick from MIT states: "lawmakers often struggle to regulate technology - they respond to political urgency, and most don’t have a firm grasp on the technology they’re aiming to control. The consequences, impacts, and uncertainties on companies are often not realized until afterward." Back in 2018 when GDPR was introduced, many of the adverse side effects were not considered and it's doubtful the regulation improved security.
Here are some of the current or recent initiatives being considered or enacted:
in the US, the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency (CISA) are all working on new rules for various industry verticals, especially focusing on critical infrastructure;
in 2021 alone, 36 US states enacted new cybersecurity legislation.
During 2022, the EU worked to update its NIS Directive of 2016, which provides a framework for EU member states to regulate technology services and products deemed critical to their economy and the functioning of society. The proposed NIS2 includes revisions that would create a new category of critical digital infrastructure, increase requirements for cyber incident reporting, and impose additional cybersecurity risk management requirements.
The EU also developed a proposed update to its Digital Operational Resilience Act (DORA), creating new requirements for information communication technologies used in the financial services sector.
The European Commission proposed the Cyber Resilience Act, which would establish cybersecurity requirements for standalone software and connected devices and ancillary services. Relevant practices for software vendors include leveraging a secure software development lifecycle and providing a Software Bill of Materials.
The US Congress passed a law that authorized the Cybersecurity and Infrastructure Security Agency (CISA) to issue regulations to require cyber incident reporting from critical infrastructure operators, and the US Transportation Security Administration (TSA) issued new sector-specific cybersecurity requirements in the transportation sector. The requirements include designating a cybersecurity regulator and implementing specific mitigation measures against ransomware attacks.
TSA also issued two additional security directives later in 2021 that extended cybersecurity requirements to freight rail, passenger railroad carrier, or rail transit systems. The directives required that covered operators designate a cybersecurity coordinator and report cybersecurity incidents within 24 hours, among other requirements.
TSA simultaneously announced it also updated its aviation security programs to require airport and airline operators to designate a security coordinator and report incidents within 24 hours.
In the UK, the draft Product Security and Telecommunications Infrastructure Bill will require manufacturers of consumer connectable products, such as smart TVs, to stop using default passwords that are an easy target for cyber criminals and to establish a vulnerability disclosure policy.
In the EU, new security standards or requirements are being implemented via multiple legislative instruments, including a delegated act to the Radio Equipment Directive that applies to wireless devices and seeks to improve network resilience, protect consumers’ privacy, and reduce the risk of monetary fraud.
A cybersecurity certification scheme for cloud service providers is being considered by the European Union Agency for Cybersecurity (ENISA).
The European Union Aviation Safety Agency, known as EASA, issued new cybersecurity requirements that apply to the aviation supply chain, including plane manufacturers and airlines. The new cybersecurity rules will require a swath of aviation suppliers to identify and defend against hacking risks to flight safety. It's clear the new rules, which take effect in 2025, are will be a huge increase of workload.
The above are is just a subset of new regulations in place or soon to be implemented. It's clear companies will need to navigate a more complex regulatory landscape, which implies increased workload and costs. What is not clear is how these often conflicting and inconsistent regulations will foster cybersecurity.