CIS Podcast: Cybersecurity Where You Are Ep.12
Cybersecurity and Government: Less Wizardry, More Policy
It can appear that cybersecurity practices are being built on the creative wizardry of technical experts rather than referential universal policy that everyone can abide by. When it comes to cybersecurity, there can be a lack of understanding by those in government of how it should work and what needs to be done to ensure public safety.
In this edition of Cybersecurity Where You Are, host and Senior Vice President and Chief Evangelist Tony Sager for CIS welcomes guest Brian de Vallance, Alliance Outreach Coordinator for CIS. Together, they discuss the role government and technology experts play in the building of universal cybersecurity best practices and policy.
This week’s Cybersecurity Where You Are podcast highlights:
- The problem regulating cybersecurity
- Cybersecurity is currently the "Wild West"
- What makes cybersecurity different than other industries
- What roles different levels of government are taking
- Dispelling the mystery behind cybersecurity
Government Policy and the Complexities of New Technology
Policy is important as it creates universal standards to provide overall public safety. Sager and de Vallance agree that the main problem with creating cybersecurity policy is the complexity of technology in comparison to other industries. For example, a car company releases a new model; the company must adhere to certain safety regulations and policies in order for them release this new car. If they do not follow these guidelines and something detrimental occurs, they are responsible. The roadmap for the car industry, like many others such as radio, television, and healthcare, is more clear since they have minimum standards of care policies written for them to all follow.
Because of the complexity of technology, understanding what is needed to create minimum standards of care is more difficult. Governments and technical experts can work together to create these best practices as a starting point for writing universal cybersecurity policies.
The Wild West, with “Reasonableness”
The cybersecurity industry is a bit of a “Wild West” of sorts where technical experts are on their own, making up their own solutions. This is in part due to lack of policy, but also because cybersecurity is a complex system and difficult for the masses to understand. Plus, as of now, cybersecurity adoption is largely voluntary. The only way to show a duty of care when there is a security breach is basically defined by the universal statute of “reasonableness.” Reasonableness is the standard of care that a reasonably prudent person would observe under a given set of circumstances.
In the event of a breach the company may need to prove that they put forth a reasonable amount of effort to prevent liability. Within the cyber environment, people are interacting with entities they do not know and offering their personal information to companies that do not have security policies to adhere to. This makes establishing “reasonableness” quite difficult to define if there is a breach.
Federal and State Governments Supporting Cybersecurity Best Practices
Sager and de Vallance go on to speak about how government is making strides in cybersecurity policy. However, in order to build strong policy we haven’t yet as a society found the role government plays in cybersecurity. How much of a role should government play in building policy? Should there be more buy-in from the state governments and private sectors?
When it comes to national safety, the federal government has the monopoly on public policy. When it comes to the Department of Homeland Security, DHS is a partner with the state, local and private sectors. They all work together to ensure public safety. Cybersecurity may fall more under the DHS umbrella where everyone is working together to build policy. This is a benefit as it allows all levels of government and private industry experts to work together on this issue.
With the federal government passing many cybersecurity bills in 2020, the development of the CISA (Cybersecurity and Infrastructure Security Agency), and state governments incentivizing the voluntary adoptions of cybersecurity best practices, government is on the right track for universal policy success. Sager and de Vallance, while stating a lot of progress has been made in recent years, agree that there is still a long way to go.
Policy makers need to understand that technology is not magic. A patch or a new upgrade or advancement in technology will not always fix the issue and may bring more problems than solutions. By working with technology experts to better understand the inner workings and vulnerabilities, stronger universal policies can be formed.