"Regulation" is an important tool for the Government to assure the welfare of society and our sometimes fragile economy. Opposition to regulation typically takes the form of stifling innovation, falling productivity or simply Government overreach. However, the prevailing rallying cry is the direct-cost of imposed standardization and forced approaches; especially as it relates to cybersecurity.
Cybersecurity is most prominent of all the genres of potential economic disruption in today’s society. Theft of electronic data and the crossing of network boundaries without permission touches each and every individual connected to a device as well as those too young to have put their little hand on a keyboard yet. On a daily basis adversaries lurking behind spoofed addresses and those attacking from dark rooms in third world countries creates a diversity of threat vectors. Everyone is a potential victim; most have already been victimized. This problem is so severe the U.S. can’t regulate systems into clean critical networks environments or force network owners/operators into meaningful compliance. We need vision to design the mouse trap capable of catching vermin - even if he is the size of a rat.
This is one of those historic times where we as a united American family overcomes through meaningful public private partnership for a more secure future. It is clear the Government is starting to understand the cybersecurity conundrum as they seek to protect millions of networks; seen and unseen. Independent regulators are even realizing regulation move too slow and is too costly to grow the economy while protecting it. Most importantly, there are signs regulators see that “Regulation is not Public-Private Partnership.
In the wake of huge data breeches a spirit of cooperation is emerging. Even those opposed to any cybersecurity regulation will tell you that we need to 1) encourage innovation, 2) educate network owners and 3) bring about a culture of cybersecurity as opposed to forcing a Band-Aid on growing infections that don’t fit the wound. Our actions today define our ability to adapt to an ever-changing adversary tomorrow. Congress appear to see this also; if not just because the blinders are coming off as they are constantly punched in the face by cyber-attacks.
Recently, Commerce Secretary Penny Pritzker echoed the call for each agency to develop an information sharing mechanism with the entities they are empowered to regulate. Pritzker explained that major companies are looking at their requirements through a lens of liabilities, responsibilities and stock value and that despite DHS’ valiant efforts companies view Government interaction and cybersecurity as business risk.
The international Association of Certified ISAOs (IACI) also understands this issue complicated by a simple world called "trust". IACI's goal is to build relationship between communities of interest like Credit Unions, Maritime and Port Operators as well as those in the same region. We believe that as these engines of the economy - having related cyber risks - begin to trust each other, they will be poised to work closer with the regulators to shape and standardize approaches to cybersecurity. More importantly, the regulators will more furture away from arbitrarily regulating them. This approach, while potentially an extra step towards resiliency, will be the border that cybersecurity lacks today and give this ill-shaped danger a traditional form we can get our arms around. www.certifiedisao.org