It has been a busy time for cybersecurity pronouncements on both sides of the Atlantic.
First there was President Biden’s National Cybersecurity Strategy, then the UK government’s data protection reform bill and its white paper on AI (artificial intelligence), and finally the EU’s NIS2 Directive and its own proposal on regulating AI.
What’s interesting about these initiatives is how little they achieve in the short term. They are either proposed or they won’t come into effect for several years. Most are more like forecasts of future regulatory environments than something that requires immediate compliance.
For example, the UK white paper on AI is subtitled “a pro-innovation approach.” It states that the government “will not put these principles on a statutory footing initially. New rigid and onerous legislative requirements on businesses could hold back AI innovation.”
God forbid.
The EU’s proposal at least lays down some categories. It categorizes AI products as either high or low risk. The high-risk category is defined as AI systems that pose significant threats to the health and safety or fundamental rights of persons, and these products will be subject to regulation.
Other AI products are defined as “non-high risk” or low risk, and these are subject to transparency and voluntary codes of conduct rather than specific regulations.
Cybersecurity strategy in the U.S.
The U.S. strategy has the broadest scope, but like the other policy papers, it does not contain any general regulations. However, it does feature a few surprises.
The strategy documents cover suggestions for five ‘pillars’:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
Most of the program elements could have been taken from any political polemic. A program to harmonize and streamline federal regulations is almost a cliché.
One of the initiatives involves establishing cybersecurity regulations to secure critical infrastructure. This initiative will be limited because the distribution systems, which carry electricity from transmission systems to consumers, are regulated primarily by states and not subject to federal control or regulations.
This limits the power of the federal government to encourage the adoption of voluntary consensus standards and guidance such as CISA and NIST.
Even when there is an act, such as the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022), the implementation of its requirements can be years away.
The CIRCIA may require critical infrastructure sectors to report cyber incidents to CISA within hours, but the rulemaking process could take as long as two years. The actual issuance of the rule can take another year and a half.
One change is the use of deterrence to counter cyber criminals. Although historically deterrence has been used in diplomacy, most notably in nuclear arms capability, it has not been used to counter cyber attacks. This may change.
The National Cybersecurity Strategy specifically states that “the United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests.”
These could include “military action (both kinetic and cyber), financial, intelligence, and law enforcement capabilities.”
In the past, sending the marines or a squadron of B-52s to destroy a criminal hacker might have seemed beyond the established rule of acceptable behavior, but the size and persistence of the cyber attacks combined with the asymmetric nature of an attack emanating from rogue nations may mandate the use of a hack-back policy.
Another new element of the Strategy is reshaping laws that govern liability. This would shift the burden for data losses and harm caused by cybersecurity errors to the entities that fail to take reasonable precautions to secure their software. In essence, it would strip the software industry of some of its tort protections and relegate the industry to the limitations imposed by product liability.
Like product liability, insurance is another area where markets have not fully determined how to distribute a loss across society.
Although the probability of a hack is high, the lack of reliable information may make the prediction of the liability difficult.
The National Cybersecurity Strategy has suggested that the federal government assess the need for a federal insurance response to catastrophic cyber events to support the existing cyber insurance market.
Political leaders know two things about cybersecurity: It creates jobs, which is good for the economy, and it can lead to crime and financial losses.
Governments have not figured out an effective way to solve the second issue without disrupting the first. This will ensure regulatory instability and compliance challenges for the foreseeable future.
Our advice is to stay focused on what makes any organization successful: the customer. If you prioritize their needs and desires, compliance practices will soon follow.
