Introduction

Cybersecurity moves faster than bureaucracy. (Well, many things seem to move faster than bureaucracy, but that’s a story for another time.) The problem with the velocity differential with regard to cybersecurity and bureaucracy is, primarily, that CISOs and cybersecurity teams find themselves hobbled by regulations and requirements that are out of date almost as soon as they are enacted. 

Another issue, equally grave, is the problem that cybersecurity policymakers are usually not cybersecurity experts – in fact, they often have exactly zero experience with the world of cybersecurity. That makes for extraordinarily ham-handed policies that leave industry players baffled and dismayed.

So, the rules come late to the books, are often drafted by inexperienced individuals, and leave security teams hamstrung in their day-to-day work. It’s a losing situation. 

Take a look at some recent examples of cybersecurity regulations that missed the mark:

 

Recent Policy

Georgia State Bill 315: Introduced in the Georgia state senate, the bill was modeled after the controversial Computer Fraud and Abuse Act, which made accessing a network or computer without authorization illegal – even if there was no theft or damage. The Georgia bill, bizarrely, contained language that would have made legitimate third-party security investigations against the law. Cybersecurity best practices involve a culture of extra-organizational cybersecurity groups testing the vulnerabilities of other entities. These security researchers need to be able to identify and disclose vulnerabilities, which make us all safer. The Georgia bill revealed a complete ignorance of these cybersecurity best practices on the part of the lawmakers. 

Sen. Mark Warner’s IOT Improvement Act: Drafted and supported by a bipartisan group of senators, the bill aimed to protect increasingly “connected” citizens by introducing a security standard for all internet-connected devices. That’s a good aim, but the bill called for vendors to “certify” that there are absolutely zero vulnerabilities in a connected device before it goes to market – a requirement that any cybersecurity worker can tell you is impossible. “No one can ever say with absolute certainty that a product with more than 10 lines of code is free of vulnerabilities. That’s just not how software works,” pointed out a leading cybersecurity publication.

In spring 2023, the Biden administration released a 39-page document detailing new guidelines and plans for aligning government oversight and private cybersecurity companies. The administration made it clear from the start that the material is “a living document”, thus clearly anticipating changes to its structure and contents as cybersecurity rapidly changes. Some industry experts expressed worries, such as pointing out the difficulty of developing government regulations without impeding innovation or stifling digital economic growth. It’s a constant struggle, and one that has yet to be fully overcome.

 

Moving Forward

Some possible answers: more expertise (on the part of the lawmakers), more proactivity (in terms of lawmakers drafting policies that anticipate future issues, rather than reacting to issues that are already years old), and more collaboration (between policymakers and the private sector). Essentially, cybersecurity policymakers need to start behaving more like the private cybersecurity sector – staying ahead of current trends, thinking adaptively, and being smart about maintaining an environment conducive to innovation and big-picture thinking. 

If you’re worried about running afoul of ever-changing government cybersecurity regulations, a full-spectrum threat intel platform like HackNotice can be a great asset. You’ll enjoy in-depth, proactive monitoring of threats to your domains, your end users, and even your supply chain. Plus, you’ll be able to research the dark web like a pro. All that intel adds up to a level of control and power over your threat surfaces that puts you way ahead of the regulatory game. Schedule a demo with us!

 

Sources:

 

1. O’Neill, Patrick Howell. “Cybersecurity Policymaking Is out of Focus. Bureaucracy Hackers Can Help.” CyberScoop, February 27, 2018. https://cyberscoop.com/us-cybersecurity-policy-lisa-wiswell-bureaucracy-hackers/.
2. Kreps, Sarah. “What Business Needs to Know About the New U.S. Cybersecurity Strategy.” Harvard Business Review, April 14, 2023. https://hbr.org/2023/04/what-business-needs-to-know-about-the-new-u-s-cybersecurity-strategy.
3. Pallardy, Carrie. “How Will the New National Cybersecurity Strategy Be Implemented?” InformationWeek, July 21, 2023. https://www.informationweek.com/security-and-risk-strategy/how-will-the-new-national-cybersecurity-strategy-be-implemented-