May I Have a Cup of Weak Tea?
Regulating Cyber Security

By Phil Reitinger

An assemblage of cyber security mavens recently wrote an excellent paper cautioning careful deliberation in imposing cyber security regulation.  To summarize, it advises that regulation of cyber security be a “last resort,” and that because of the speed of technological change on the Internet, the value of innovation, and the risk of unintended consequences, regulators should “start small, be transparent, and adjust as needed.”

The paper is very well written and convincing.  Not that I needed much convincing – I don’t actually consider the issue arguable.  In a dynamic, complicated, technological, and international environment prescriptive regulation is perilous; I remember once reviewing proposed legislation that would have made it a crime to “damage or delete” data – legislation that would make felons of us all.  I would, however, like to highlight a few caveats to this conclusion that are not drawn out in the paper.  In particular, just because regulation should be a last resort does not mean that it should never be taken up.

First, in many cases, regulations already exists or must exist, and the only question is whether the regulations are good or bad.  For example, in the U.S. financial institutions are insured by the government and already have security regulations – to have no requirements for cybersecurity would put government funds and national security at risk.  Similarly, chemical facilities are regulated by the U.S. government (DHS) – to have those regulations cover physical security but not cyber security would be irrational and perhaps cause a misallocation of resources, driving undue physical security spending over cyber security spending.  Instead, regulators must focus on good regulation, with appropriate humility about their own capability, as the paper argues.

Second, caution regarding regulation must not undercut regulatory harmonization efforts.  While regulation can be wasteful and impair innovation, diverse and conflicting regulatory requirements can cause far worse.  Diverse regulatory requirements for cyber security means one thing for sure: cybersecurity spending for lawyers and consultants will increase.

Third, regulation is not black and white.  There are dials to turn that can increase and decrease effectiveness and the risk of market disruption.  One example of turning the dials to be less intrusive on markets is the use of use of positive incentives, rather than penal consequences, as suggested in the paper.  Another is to steer toward performance-based rather than prescriptive regulation.  For example, a regulation that a company use antivirus would have seemed critical 20 years ago, while now it does not seem critical at all.

Fourth, regulation can be designed to aid the market rather than impair it.  As the paper notes, “Markets need information to function.”  Recently, the Trump Administration proposed examining whether “market transparency” regarding risk management by critical infrastructure could be an effective incentive, an approach functionally similar to the Obama Administration’s May 2011 “Regulatory” proposal.   This type of regulation offers far less risk of market disruption and fewer unintended consequences.

Fifth, there are developing market failures that require rapid response.  The Internet of Things, noted in the paper, is one example.  Our joint risk from Internet-connected, unsecured, commodity consumer electronic devices is spiraling upward.  Perhaps things are not ripe for full-on prescriptive regulation, but partially imposing requirements through procurement incentives, as proposed in Congress, seems a valuable and critical first step.  I can also conceive of other cases where emergency, interim regulation would be required to address a national or homeland security risk.

Sixth, regulation with all its risks has the advantages of clarity and judicial review of the “regulations.”  The paper strongly criticizes the investigatory approach of the Federal Trade Commission – of conducting investigations based on cybersecurity “unfairness” and obtaining consent decrees – because it avoids the judicial review that prevents arbitrary government action.  Real regulation would provide notice of actual requirements, judicial review of them, and a fair process of determining if they were met.  I’ll take that over after-the-fact second guessing, with fines and a 20-year consent decree, any day.

Finally, I’m not sure that warning against regulation is really necessary, at least in the United States.  As I mentioned above, a bit over six years ago the Obama Administration proposed cyber security “regulation” that sought to establish performance-based requirements for the most critical of critical infrastructure, and with sanctions that amounted to “naming and shaming” violators rather than imposing fines and penalties.  This was light-touch regulation that complied with most of the criteria the paper authors suggest now. Even though it was criticized at the time as “weak tea … [that] shows no sense of urgency,” it failed miserably because it was too prescriptive for the political climate at the time – a climate that has grown even more anti-regulation.

I agree that regulation should be a last resort, and the organization that I lead, the Global Cyber Alliance, focuses on implementing real operational solutions instead of asking for regulation.  But where there is a clear need for government action that can’t otherwise be met, please pass me a cup of that weak tea.  It’s not Earl Grey, but it’s also not hemlock tea, and some days that’s enough.

The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.