If there is one phrase dreaded by all types of businesses in the US, it has to be “government regulation.” So it was surprising to hear nearly all the speakers at the 2018 Global Cyber Security Initiative meeting last Friday agree that what their industry really needs is more regulation. That almost unbelievable claim does come with a number of caveats, however.
The afternoon session began with Dr. Sujeet Shenoi, F.P. Walter Professor of Computer Science at the University of Tulsa, who scared the crowd with stories of just how vulnerable our cyber-infrastructure is. This point has been made to us before, but it has more weight coming from someone who has personally cracked numerous computer-based systems over the years and is telling you how easy it was to do. Not because he is a black hat (aka a cyber bad guy) – rather, he is a white hat who has learned that the best way to protect a system is to learn how to crack that system to understand its vulnerabilities.
These vulnerabilities are everywhere: in ATMs, smart meters (e.g. electric meters on your home), voting machines, wind turbines and financial networks, to name a few. Dr. Shenoi related a story about how a wind turbine could be compromised by disabling the brake that moderates its speed and keeps it from spinning itself apart. Bad guys hack in, disable the brakes and it destroys itself. Then they ransom the company that owns the turbine for millions with the threat that the other 199 turbines in the wind farm, each costing $5 million, will suffer the same fate. That is just one example from a whole spectrum of industries that are vulnerable.
The solution to this problem, touched on by almost all the rest of the afternoon panels, is more regulation. The industry that makes all these computer based devices itself has repeatedly failed to enforce any kind of standards in the area of security, panelists noted. Government regulations are needed to enforce standards that will safeguard all these systems which impact so many areas. The panels did note, however, that there are limits to this regulation. The government will not simply accept an entity’s being in compliance with a particular standards organization, such as the International Organization for Standardization (ISO), as sufficient; the entity must meet the government’s standards as well.
Particularly frustrating for businesses is the regulations that exist are implemented at almost every level of government, so they must comply not only with federal regulations but also with state, county and even city regulations, not to mention regulations in other countries. Chicago has recently passed Chapter 4-402 entitled “Chicago Personal Data Collection and Protection Ordinance,” which sits atop a pile of similar regulations going all the way to the federal government. Complying with all of these levels of regulation has become a nightmare and a severe drain on resources for many companies.
Add to this that regulators simply are, by-and-large, not educated well enough on the challenges and technical needs of the business world to make appropriate regulations, which means the businesses must do their best to educate the regulators – yet another drain on resources. The panels noted that regulations around cyber security have gotten better to an extent. In the past, cyber security was a checklist that everyone had to meet regardless of whether it made sense or not. These days regulators are more likely to have you show that your approach to security works.
In short, the panelists would like to see a better educated federal regulator that supersedes state and local regulations – one authority that the industry answers to, making rational and needed regulations. Add to that the need for companies to have a chief information security officer (CISO) that can coordinate their company’s cyber compliance needs. A good CISO can actually lower the costs of compliance. Unfortunately, the potentially steep legal penalties (as in multi million dollar fines and long prison sentences) that exist for CISOs who make mistakes in some particular instances mean not enough people are willing to do that work.
Also of note was the panel on smart contracts. The big surprise there was that Cook County (which encompasses Chicago) is the first county in the nation to embrace smart contracts for deeds and other government records. It was eye opening to learn how easy it is for you to take ownership of your neighbor’s house, without buying it, given how records are currently kept (note: that is illegal – do not try it). Smart contracts have great potential to solve this problem. Such a system is still a bit away from primetime; solving whether it would be a private or public blockchain is one stumbling block, but there is good reason to think the folks working on this will get there eventually and greatly streamline and improve government record keeping in some areas.
Concerns about cybersecurity are real and serious. If these concerns are not addressed serious damage could be done to businesses and, by extension, the country and society. Meeting the challenges of the future will require working closely with regulators in a rational and logical fashion. Compliance with regulations is not just a matter of satisfying bureaucracy; it is crucial to safeguard our companies.
As Arlan McMillan, CSO for Kirkland & Ellis LLP, noted, “Compliance does not mean you are secure, but I guarantee you if you are not compliant, you are not secure.”
Edited by Sarah Rudolph