The Problem with Cybersecurity Regulations

Written by

Progress, as executives know, is a slow thing; two steps forward, one step back is as good as it gets for many organizations.

When it comes to cybersecurity, it seems as if that adage is reversed as things are going from bad to worse: Nearly 1,100 major data breaches were reported in 2016 according to the Identity Theft Resource Center - 40% more than a year earlier. 2017 is on track to beat that; high-profile hacks this year included the compromising of huge troves of data from the IRS, OneLogin, Verizon, Equifax, the SEC, and many others.

A study by Ponemon and IBM says that data breaches cost companies some $4 million apiece, and by 2019, losses to cyber-crime will exceed $2 trillion. As the frequency – and costs – of cyber-insecurity grows, spending on cyber-defense grows too, spending which is expected to reach some $90 billion in 2018.

As cyber-insecurity grows, calls are increasing for someone to do something. But what? There are likely tens of thousands of cybersecurity firms all over the world, each with their own special twist on detecting, preventing, or otherwise outmaneuvering cyber-attacks. Practice makes perfect, and one would think that by this time, cyber-defense experts would be wise to all the tricks of hackers.

In fact, they are. Year after year we see the same kinds of attacks (for example, social engineering campaigns prompting victims to open phishing messages that may be loaded with malware) repeat themselves. Shockingly, the same tactics continue to work, and are used even more successfully with each year. It's as if there was some sort of conspiracy of failure going on – with everybody in the cyber-defense business deliberately leaving security holes so that hackers can continue to win.

A hint at what a possible solution might look like came in a recent speech by Daniel Pinto, chief executive of JPMorgan’s corporate and investment bank. “Each country has a different standard but we have a global problem ... When you go to point where you have to have different standards in every place, you put yourself in a vulnerable position,” Pinto said in a speech. Countries may be able to defend data in their own jurisdictions, but if companies in a specific country want to do business with the world, they have to take what they're given – even if it comes from companies in another jurisdiction that have less stringent security standards.

Seeking to impose worldwide standards might entail developing an international protocol, similar to the agreements sponsored by groups like the World Trade Organization. In fact, at this year's RSA Conference, Microsoft Chief Legal Officer Brad Smith called for a Digital Geneva Convention.

Would that work? Smith's suggestion implies that tech firms can help defend against 'nation-state cyber-attacks' – but that assumes that it would be possible to find evidence as to who or what was behind a successful cyber-attack. One of the attractions of cyber warfare (and cybercrime) for bad players is the extreme difficulty of tracking down culprits. Either countries (or companies) will unfoundedly blame each other and go to “war,” or they will be left to fend for themselves, very much like they are now.

Besides, imposing international standards on a local level doesn't always work; custom and local regulations may differ, and the regulatory environment could become very complicated. A good hint of what to expect from international standards is the Payment Card Industry Security Standards Council Data Security Standard (PCI DSS). In place for decades already, the DSS imposes rules that companies must follow in order to handle credit cards.

The rules include industry regulations regarding how cards are authenticated, where and how data is stored and transmitted, what kind of network can be used to transmit data, etc. Despite implementing a new set of more secure standards this year, 2017 is going down as a banner year for credit card data theft; companies like Whole Foods, Sonic, IHG, Verifone, and many others have been hit.

Perhaps the standard that is needed is not a set of rules: all of us can agree that the objective is to keep hackers away from data altogether. A better approach might be trying to sign up companies around the world to a technology standard. The way to approach building such a standard would be to investigate the many cybersecurity approaches that are used today, and determine which one is the most effective.

A standard assessment could be developed that would query organizations on the risks they face, and the resolution of that risk would be a component of the overall solution.

In our opinion, the heart of that solution will be developing technologies to prevent breaches in the first place. Many of the solutions that are used today are based on detection – which, by definition, means that the breach has already occurred. With “email being the most likely attack vector for ransomware, either via email attachments or malicious links in email messages,” according to a report by Osterman Research, prevention is key. Indeed, 91% of breaches start with e-mail.

Figure out how to “purify” e-mail from the malware it carries, make sure the solution is available worldwide, require business partners to implement it – and hackers will likely have to find another line of work.

What’s hot on Infosecurity Magazine?