U.S. Regulatory Outlook for 2017
TRYING TO PREDICT THE FUTURE
I don't want to bring up politics but this is the first U.S. election where cybersecurity had sustained, serious attention by the press and the candidates.
Now that the election is over, will this focus mean we see a change in national cybersecurity policy? What changes might we see?
I've been reading the COMMISSION ON ENHANCING NATIONAL CYBERSECURITY DECEMBER 1, 2016 REPORT ON SECURING AND GROWING THE DIGITAL ECONOMY (https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf) to see what the future might hold. I imagine the themes in the document were drafted when the commission expected a different outcome in the presidential and congressional elections.
Even so, some of these suggestions are likely to pass bipartisan muster. What is the Commission recommending that the new Administration and Congress do?
CLEAR GUIDANCE ON CYBERSECURITY STANDARDS.
"The Commission recommends that The NIST Cybersecurity framework be adopted by Federal regulatory agencies or note exceptions to it for the entities under their purview."
For agencies that haven't mandated security controls or frameworks, it may be easier for both the assessed and assessors to mandate the framework instead of creating their own rules from scratch.
METRICS AND REPORTING:
Wouldn't it be nice to be able to actually show costs, risks and benefits of your cybersecurity expenditures? Without lots of data over time, this ranges between speculation and educated guessing. It's difficult to ask senior management for new tools, hires or consultants on just your say-so.
The Commission feels your pain. There's a request to gather metrics from volunteers, anonymize them, collate them to understand what works and what doesn't.
And while that data sounds good, isn't that a little scary? What happens if you're the only organization that admits to their flaws? Is this an invitation to bad press, regulatory scrutiny or lawsuits when you disclose inadequate controls or bad practices?
Possibly not. The next recommendation is to incentivize information sharing.
Liability limitations.
The Commission has recommended liability limitations to incentivize information sharing as well as compliance with the NIST guidelines.
"The government should extend additional
incentives [liability protections] to companies that have implemented cyber risk
management principles and demonstrate collaborative
engagement... Safe Harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors"
If this comes to pass, this will likely convince many firms who have suffered a breach to come forward to obtain immunity. The reputational losses may be counteracted with a 'good citizen' spin in their marketing materials.
I foresee regulatory agency safe harbors for disclosure occurring more quickly than statutory liability changes. Regulatory agencies' rule-making activities do not receive the press or public interest that legislation may garner.
Passing absolute liability caps or preventing punitive damages for self-disclosed breaches and framework compliance are a possible compromise to protect consumers and businesses alike.
THREAT SHARING
Sharing retrospective cybersecurity metrics is interesting, but what about defenders fighting the good fight today? Imagine the advantages to share malware signatures, vulnerability information and possibly threat intelligence in real-time.
Some protections for intellectual property and privacy may need to remain. Building the feeds are going to be a business opportunity for cybersecurity vendors, while disrupting older silo'd models of threat information.
The Commission has longer term plans regarding specific technologies, which we'll be discussing in a subsequent blog post.
What might this this mean to you?
Odds are we're going to see some carrot and stick incentives to formalize IT and Security operations. It may be time to take a look at the NIST Cybersecurity Framework and see what you can do right now and what you could do in a year.
Take some time from your busy schedule and talk with your peers in your industry. There may be opportunities to learn from each other without violating privacy or leaking trade secrets. It'll help to develop some intra-industry trust before sharing becomes strongly recommended.