Receive free Cyber Security updates
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
The writer is partner at Krebs Stamos Group and former director of the US Cybersecurity and Infrastructure Security Agency
The Securities and Exchange Commission (SEC) recently announced a highly anticipated set of cyber security regulations, requiring companies to publicly disclose incidents and regularly report on governance. At first glance, these new rules make sense and are even overdue, particularly after a string of high-profile attacks by Russia, China and their proxies. These have rattled industry and government alike, highlighting our reliance on tech companies and their vulnerable products.
The increased transparency will certainly drive much-needed awareness across industry. Corporate discussions around cyber risk are crucial at a time when geopolitics and technology are inextricably linked. But not all the SEC’s additions are positive.
The new incident reporting requirements are redundant and misdirected. Last year Congress directed the Cybersecurity and Infrastructure Security Agency (CISA) to develop incident notification regulations for industry. Congress was clear: CISA is the lead civilian agency for cyber security, and incident reporting should go there. The new rule now requires companies to report incidents to two federal regulatory authorities: CISA and the SEC.
The SEC regulations also encourage companies to prematurely release information that may enable attackers to burrow in, evade responders and cause longer-term damage. Even more worryingly, a company might be required to release information on a vulnerability before a patch is available, leaving customers using that vulnerable software defenceless against attacks from newly empowered attackers.
We will soon have a cyber reporting mess on our hands. Due to jurisdictional turf battles and the absence of a unified constituency, Congress has no clear strategy for improving US cyber security. Leadership remains fractured and subject to the whims of multiple committees.
Over the past decade, legislators have issued a hodgepodge of laws and authorised a never-ending stream of organisations. Just about every major executive branch department has a cyber security office, stretching resources and personnel unnecessarily thin. This over-bureaucratisation has made it harder, not easier, to work with the government. I regularly hear: “who do I call to talk about this issue? CISA, the FBI, the NSA, the Department of Energy, the White House? Why can’t there be a one-stop shop for working with the government on cyber issues?”
That’s precisely what I sought to achieve in working with Congress in 2018 to establish CISA. But while CISA has successfully established itself, we still lack a cohesive national cyber organisational structure.
How do we get out of this bind? Three things are needed: first, the SEC should suspend incident reporting requirements and defer to Congress and CISA on future cyber security mandates. The remaining regulations can remain in force, though the SEC should evaluate industry feedback on the practicalities of implementing them.
Second, Congress should establish select committees on cyber security in both chambers. These would have primary jurisdiction over technology risk issues, initially around cyber security, but possibly encompassing artificial intelligence as well.
Finally, Congress must evaluate liability regimes that ensure technology developers are introducing products and services that are secure by design. We are facing intelligent enemies committed to breaking into key services. But we continue to see products released with fundamental, preventable flaws. Developers must be held to account.
Over the longer term, the select committees should designate a central civilian agency to lead on digital risk management issues. This could be created by repurposing an existing agency such as CISA or through a new organisation that draws on elements of existing agencies throughout the government. There is precedent for such reorganisation: the Department of Homeland Security was created in the wake of 9/11, and regardless of your views on the DHS, we are safer today as a result of its creation.
It’s clear that our reliance on technology is accelerating at a pace that surpasses our ability to intervene. More government isn’t the answer. Smarter regulation can be achieved by reducing overlapping, conflicting and counterproductive regulatory programmes. We must think about grander solutions rather than nonstop incremental adjustments.
Perhaps the SEC has done us a favour by overreaching with its new rule. Congress should now reassert itself in order to place national cyber security policy on the right path.
