Cyber House Rules: Tougher local regulation is not enough

On December 18, 2015, President Obama signed into law the Cyber Security Act of 2015, which requires the Department of Homeland Security to develop rules to make it easier for private companies and U.S. government agencies to share information about cyber threats.

This law is just the latest in a host of new initiatives in recent years to ramp up data protection and encourage collaboration and transparency about cyber security at a federal and local level.

In the past year alone, more than 20 bills have been introduced in Congress to protect privacy online, facilitate the sharing of information on cyber threats, require some entities to notify affected individual or government agencies if data has been compromised, and introduce a Cyber Bill of Rights for consumers.

Regulators are expected to continue pushing for greater control of cyberspace in 2016. The New York State Department for Financial Services, for instance, is expected to propose new rules on cyber security policies at financial institutions in the state, including a requirement for regular audits, the appointment of a Chief Information Security Officer and notification of any incidents.

EU harmonization

Nor is the spate of regulation limited to the U.S. The European Union is expected to adopt the General Data Protection Regulation (GDPR) and the National Information Security Directive (NISD) in the coming months, with both coming into effect by the end of 2018.

The new rules are designed to harmonize the European Union’s fractured regulatory landscape and improve consumer protection by introducing a minimum standard of cyber security for essential services. They will also make it easier for businesses to transfer data within the EU.

NISD requires the likes of European banks, internet service providers, utilities and medical facilities to manage cyber risks more effectively, and to automatically notify the authorities if their systems are breached.

The GDPR gives private individuals easier access to their own data being held by third parties, makes it easier for them to move data between service providers, reinforces the right to have private data removed from third party websites like customer databases and social media, and obliges service providers to notify their customers when their data has been compromised. It also mandates the establishment of a European Data Protection Board to help coordinate the activities of each member state and requires companies in some sectors to appoint data protection officers to ensure that the new rules are being followed.

Other countries and regions are also moving to strengthen their regulatory frameworks in light of an increase in cyberattacks in recent years.

Local rules, global challenge

There are privacy concerns over some regulation. The Cyber Security Act of 2015, for example, is already being challenged in Congress on the grounds that it does not go far enough in protecting the identities of victims of cybercrime and gives internet service providers too much latitude in monitoring external systems. Yet any development that provides greater protection for businesses and consumers, increases transparency into cyber threats or fosters collaboration between governments, businesses and the public must be seen as positive.

However, while most current regulatory and enforcement activity is happening at a local and regional level, bad actors are operating across borders. Cyber criminals are becoming increasingly sophisticated and are often located in lightly-regulated jurisdictions, allowing them to operate under the radar, so risks are borderless and systemic.

Intra-government cooperation

As Zurich Insurance Group and ESADE Center for Global Economy argued in a report published in April, 2015, the global nature of cyber risks requires closer cooperation between governments.

The report, Global Cyber Governance: Preparing for New Business Risks, proposed measures such as the creation of a Cyber Stability Board to strengthen global institutions and a cyber-alert system modeled after alerts from the World Health Organization (WHO) to enhance crisis management. It also called for “more comprehensive dialogue between business, politics and civil society to ensure the security of cyberspace.”

An evolving challenge

A further risk is that the nature of cyber threats is constantly evolving.

In December, hackers managed to close down several power stations in the Ukraine in what is believed to be the first successful attack of its kind. In July of last year, Wired magazine reported on a proof-of-concept hack of a Chrysler Jeep, in which researchers took control of the vehicle’s electronic systems, including the radio, climate control, windshield wipers, digital displays, steering, brakes, and transmission.

Those incidents demonstrate that cyber risks now extend beyond the digital environment directly into the physical world—an effect that is only become more pronounced as more devices are connected with the emergence of the so-called Internet of Things.

The proliferation of monitoring devices, remotely controlled and automated systems, is creating fresh opportunities for attackers. It is an imperative for improved corporate resilience plans and global coordination of regulation and enforcement, to help reduce the weak links in cyber security. Breakthroughs in Big Data, while a boon for businesses and governments, are also making it easy to gather sensitive information without the ugly necessity of breaching protected systems. In the U.S., for example, law enforcement agencies are working with private companies to track vehicles and suspects using publicly available CCTV video feeds. While that could prove useful in preventing crime, in the absence of rules to protect privacy in public spaces, it could also be used for sinister purposes.

Part of the problem is that the real-world implications of technological developments are so difficult to predict. That means that businesses and governments need to work more closely together to develop a fluid and holistic approach towards building resilience to cyber attacks, with an emphasis on preventive continuity measures supported by post-event mitigation strategies and crisis recovery plans.