Richard Knowlton had the following letter published in the Financial Times back in November 2015. It’s still relevant!
Many seem to accept that “good old-fashioned regulation” is the way to deal with businesses’ vulnerability to cyber-attacks. I beg to differ.
The main problem in managing cyber threats is not the criminal negligence of companies or individuals. Nor is it that the security technology itself is poorly designed or implemented.
The fact is that the technology itself is under relentless attack, and governments, businesses and consumers are all on the same side against powerful criminal syndicates and nation states.
The assumption behind a regulatory approach is that Government is an independent and expert actor with a clear view of what needs to be done. But it is painfully clear that Government is no better than anybody else at managing cyber threats. Even the most sensitive agencies in sophisticated Western countries regularly fall victim to successful hacks.
The traditional regulatory model seeks to identify a series of minimum standards. But this static approach is inadequate to meet threats which are subject to constant and highly dynamic change. We need a flexible system that motivates continued and cost-effective improvement. The conventional regulatory process is not designed for this goal.
Meanwhile, compliance with regulations is time and resource-intensive for the company in question – just what we do not need when one of the most serious problems we face in cyber-security is a lack of resources, especially in technical personnel. Compliance-checking uses up scarce security resources and diverts them from actual security.
Finally, cyber security is a global problem, where nation states have limited jurisdiction and impact. Even if the US or EU were able to develop perfect regulatory systems, they would apply only in the USA or EU.
So what would be a helpful approach? I’m certainly not opposed in principle to setting minimum standards – a basic “cyber hygiene” akin to ensuring that medical staff wash their hands to prevent the spread of a virus. The UK government’s “Cyber Essentials” programme is a good example. It describes simple controls to provide basic protection from the most common forms of cyber threats.
But merely ensuring that nurses wash their hands will not stop future viral epidemics. In cyber-security we need a new model that is based on voluntary collaboration between the private and public sectors, and that recognises that a principal problem with cyber threat management is economic: there is seldom a clear business case for investing in cyber security.
I favour the private-public collaborative approach being developed in the US. It includes work on developing incentives (reduced insurance premiums and automatic qualification to tender for government contracts). It is also based on voluntary, risk-based standards, guidelines and practices to help organizations manage cyber risks.