America’s Aging Cyber Regulations Make Us Less Safe
America #America
In large part, this disconnect is due to the rise of the cloud. Many existing regulations were put in place when companies typically ran applications on equipment in their own data centers, sort of the way individuals used to buy shrink-wrapped software programs. Companies might update their software a few times a year to add new features and to patch new security vulnerabilities. On the whole, companies erred on the side of caution, introducing change only when necessary.
In the cloud era, however, going slow is not an option. Companies now leverage sophisticated public cloud platforms like Amazon Web Services (AWS), Microsoft Azure and Google Cloud, which let them create and rapidly iterate and improve dynamic digital experiences. They’ve decommissioned many of their own data centers in favor of running their own applications in the cloud and subscribing to Software-as-a-Service (SaaS) offerings such as Salesforce, Workday and Zoom. All of these apps make use of container technology, which breaks the code into small chunks that can be delivered to customers securely and efficiently across a variety of platforms, and use continuous integration and delivery (CI/CD) methods to automate the never-ending flow of tiny changes.
Unfortunately, the result of these changes is that many long-standing regulations are now hopelessly mismatched for today’s dynamic, highly automated modern software operations. Many security and compliance regulations, for example, require documentation of which person approved a particular software update – a practical impossibility for companies that do hundreds of updates a day.
To its credit, the Biden administration’s executive order endorses adoption of technologies that can help, particularly regarding security. Multi-factor authentication can help foil attempts by attackers armed with stolen usernames and passwords, and a cloud-era concept called zero trust security requires companies to treat every digital transaction (human and machine) as potentially dangerous until the identity of the requestor can be authenticated. These strict authorization rules can also help limit the “blast radius” of a successful attack.
To truly keep up with the changes wrought in the cloud we also need a new regulatory philosophy, one that helps rather than hinders companies’ efforts to adopt zero trust and other leading-edge security approaches.
But that’s only the first step. To truly keep up with the changes wrought in the cloud we also need a new regulatory philosophy, one that helps rather than hinders companies’ efforts to adopt zero trust and other leading-edge security approaches. While drafting detailed policies is best left to the experts, there are several core principles I think should be considered:
Require adoption of modern security methods, not obsolete ones. Cyber regulations should drive companies to adopt development methods and security practices, like zero trust, that ensure security is built into products and systems from the get-go, not as an afterthought. Many companies are already recognizing the wisdom in this: According to identity and access management company Okta, the percentage of North American companies using or planning to use zero trust security has risen from 16 percent to 60 percent in the last three years. To get the rest on board, regulators should work with industry standards groups (such as the PCI Security Standards Council, which oversees how payment cards are secured) to design appropriate rules for various industries. They should consider mandating more aspects of the NIST Cybersecurity Framework, which lays out voluntary best practices.
While they’re at it, regulators should change or scrap rules that are past their prime. For example, companies must still document how they update their network firewalls as new threats emerge, even though firewalls are a pre-cloud technology designed to keep suspicious traffic out of company-owned and operated datacenters. That makes them ill-suited for a world in which so much digital activity takes place on cloud platforms like AWS and in cloud services ranging from Salesforce to Zoom.
Free companies from a broken compliance model. While current regulations usually don’t specify exactly how companies should prove their systems are secure, many of the auditing firms they hire to make sure they’re following the rules have fallen into the habit of requiring particular security implementations – like an IRS auditor requiring not only that taxes are paid in full, but that the forms be filled out in blue ink. Many executives complain that the process is unnecessarily time-consuming, costly, and frankly, maddening. Organizations frequently want to adopt cutting-edge approaches to security but struggle to get approval from their auditors. Government could help by encouraging the auditing industry to modernize its approach. Whether through education campaigns, mandatory training requirements or other methods, auditors need the technical acumen and mindset to reward companies for finding better security methods, not stifle them.
Consolidate regulatory structures. Current federal rules require agencies in charge of key industries to create their own cybersecurity rules, such as NERC mandates for critical infrastructure and FINRA mandates for fintech companies. Since methods of attack tend to cross sectors, it could be more efficient to have more centralized approaches focused on dealing with the newest, most dangerous threats. In addition, the growing number of state-level privacy and security legislation can create a confusing spaghetti factory of complex and sometimes conflicting instructions. Standardized rules would make it easier and faster to share critical information about emerging cybersecurity threats and the best ways to stop them.
Engage more with industry. The companies facing daily attacks are the front-line experts on what works and what doesn’t. Regulatory agencies need to create ways for private sector leaders to share battle-won expertise and best practices. Otherwise, the agencies will likely focus on the things they know they can control, forcing companies to check compliance boxes rather than on taking the actual steps needed to help safeguard themselves and their customers. From my experience, many IT executives would welcome the opportunity to participate in such programs.
Embrace automation. When it comes to promoting cybersecurity at scale, automation is essential. There is no human-based process sufficient for organizations the size of a Facebook, Salesforce or Fidelity to identify and patch vulnerabilities fast enough to prevent massive damage. And yet, many of our customers, particularly in regulated industries such as financial services and health care, must still document their processes for tracking who signed off on a particular change to its software. Given how quickly bad actors can exploit new vulnerabilities, companies have replaced slow-moving manual ticketing for fixes with automated systems, applying approaches like infrastructure as code that can update applications and infrastructure in minutes or less. The regulatory requirements have to keep up with this new reality.
Move faster. Every industry wants its regulators to keep up with the times and hopes for a constructive rather than a confrontational relationship. But when it comes to cybersecurity, speed and collaboration are mandatory. Software development methods evolve too fast, and the cost of falling behind is too high for the typical pace of governmental action. Damage from cyberattacks has risen 50-fold since 2015, to more than $20 billion annually, and is expected to hit $265 billion by 2031, according to Cybersecurity Ventures. And, attackers are showing less concern about who they hurt, even shutting down oil pipelines and hospitals.
Updating cybersecurity regulations is necessary to make the world a safer place but will also bring many other benefits. A fast, modern, automated approach to compliance will help unleash the full power of the cloud economy. Smart rules requiring adoption of current best practices would make U.S. companies more secure and free them to innovate more rapidly and boldly. Sticking with today’s regulatory norms will only help the bad guys.