2022-08-30 11:02:03
“If you can’t measure it, you can’t manage it.”
New Cybersecurity Regulations Are Coming. Here’s How to Prepare.
A whole suite of new cybersecurity regulations and enforcement are in the offing, both at the state and federal level in the U.S. and around the...
Cybersecurity has reached a tipping point. After decades of private-sector organizations more or less being left to deal with cyber incidents on their own, the scale and impact of cyberattacks means that the fallout from these incidents can ripple across societies and borders.
Now, governments feel a need to “do something,” and many are considering new laws and regulations. Yet lawmakers often struggle to regulate technology — they respond to political urgency, and most don’t have a firm grasp on the technology they’re aiming to control. The consequences, impacts, and uncertainties on companies are often not realized until afterward.
In the United States, a whole suite of new regulations and enforcement are in the offing: the Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and Cybersecurity and Infrastructure Security Agency are all working on new rules. In addition, in 2021 alone, 36 states enacted new cybersecurity legislation. Globally, there are many initiatives such as China and Russia’s data localization requirements, India’s CERT-In incident reporting requirements, and the EU’s GDPR and its incident reporting.
Companies don’t need to just sit by and wait for the rules to be written and then implemented, however. Rather, they need to be working now to understand the kinds of regulations that are presently being considered, ascertain the uncertainties and potential impacts, and prepare to act.
What We Don’t Know About Cyberattacks
To date, most countries’ cybersecurity-related regulations have been focused on privacy rather than cybersecurity, thus most cybersecurity attacks are not required to be reported. If private information is stolen, such as names and credit card numbers, that must be reported to the appropriate authority. But, for instance, when Colonial Pipeline suffered a ransomware attack that caused it to shut down the pipeline that provided fuel to nearly 50% of the U.S. east coast, it wasn’t required to report it because no personal information was stolen. (Of course, it is hard to keep things secret when thousands of gasoline stations can’t get fuel.)
As a result, it’s almost impossible to know how many cyberattacks there really are, and what form they take. Some have suggested that only 25% of cybersecurity incidents are reported, others say only about 18%, others say that 10% or less are reported.
The truth is that we don’t know what we don’t know. This is a terrible situation. As the management guru Peter Drucker famously said: “If you can’t measure it, you can’t manage it.”
What Needs To Be Reported, by Whom, and When?
Governments have decided that this approach is untenable. In the United States, for instance, the White House, Congress, the Securities and Exchange Commission (SEC), and many other agencies and local governments are considering, pursuing, or starting to enforce new rules that would require companies to report cyber incidents — especially critical infrastructure industries, such as energy, health care, communications and financial services. Under these new rules, Colonial Pipeline would be required to report a ransomware attack.
To an extent, these requirements have been inspired by the reporting recommended for “near misses” or “close calls” for aircraft: When aircraft come close to crashing, they’re required to file a report, so that failures that cause such events can be identified and avoided in the future.
On its face, a similar requirement for cybersecurity seems very reasonable. The problem is, what should count as a cybersecurity “incident” is much less clear than the “near miss” of two aircraft being closer than allowed.
202 viewsAlireza Ghahrood, 08:02