Infosecurity Europe
4-6 June 2024
ExCeL London

The Challenges of Growing Government Intervention in Cybersecurity

Governments around the world are now highly active in cybersecurity, shaken by high-profile attacks hitting critical infrastructure that are having real-world impacts. Notable examples are the Colonial Pipeline incident in 2021, which took down the US’ largest fuel pipeline, and the plethora of ransomware attacks on healthcare organizations, which has severely impacted patient outcomes.

The enormous economic damage caused by surging cyber-threats has also placed the issue into the consciousness of politicians. Figures from Statista estimate the cost of cybercrime worldwide in 2022 to be an eye-watering $8.44 trillion, and predict it will reach an astonishing $23.84 trillion in 2027.

It is unsurprising that national and supranational governments feel compelled to take action to ensure that society is better protected. For example, both the UK and US governments have recently published long-term national cybersecurity strategies, and these involve legislative action.

In the US, President Joe Biden signed an executive order in May 2021 designed to improve supply chain security, incident detection and response and overall resilience to threats. This includes a requirement for all federal government software suppliers to meet strict rules on cybersecurity or risk being blacklisted.

Additionally, in March 2022 the US passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, in which US critical infrastructure companies will be obliged to report cyber incidents within 72 hours.

On the other side of the Atlantic Ocean, the UK passed the Product Security and Telecommunications Infrastructure (PSTI) Act in December 2022. This legislation will place new cybersecurity standards on manufacturers, importers and distributors of IoT devices.

The UK government is also working on regulations in numerous other areas of cybersecurity, including placing security and privacy requirements on app store operators and developers.

The growth of cybersecurity regulations goes far beyond the UK and US, with the EU actively reviewing and updating its cybersecurity rules.

There has also been an enormous increase in data privacy legislation globally in recent years, following the enaction of the EU’s GDPR in 2018.

Although most cybersecurity laws have either only been recently enacted, or not yet come into force, it is important to assess their impact so far and how regulatory approaches need to evolve going forward.

Overcoming Compliance Challenges 

Studies show that the growth of cybersecurity regulations is doing little to stem the flow of attacks and breaches so far – far from it.

Part of the issue could be organizations experiencing difficulties in adhering to such a wide range of regulations. For example, research by CyberSheath in November 2022 found that 87% of US defence contractors are failing to meet basic cybersecurity regulation requirements, with lack of understanding and enforcement cited as factors.

While it is hoped that greater awareness and understanding of regulations will come with time, it is vital that businesses are provided with advice and guidance in updating their compliance programs, especially SME companies that lack the resources and expertise of large firms. Strong enforcement is also required to ensure organizations stand up and take notice, something now being seen regarding the EU’s GDPR.

Another issue is that too often governments lack input from cybersecurity practitioners when shaping new rules. Speaking during an event in 2022, Jen Ellis, cybersecurity advocate and community convenor, highlighted the lack of responses the UK government typically receives from the industry in its consultations for new legislative proposals. It is vital such input is provided to ensure the regulations are practical and effective.

Ellis told the audience: “They [the government] really want to hear from you – the people who have the knowledge to ensure they are doing the right thing.”

Adapting to Emerging Threats

A common frustration for industry experts is that regulations often lead to a ‘tick-box’ approach to cybersecurity, where organizations do the minimum they need to comply and not address the true nature of the threats they face. With cyber-attackers continuously adapting their techniques, it is crucial that organizations are flexible in their posture, updating their defensive tools and processes in response to the specific threats they face rather than simply following top-down regulations.

Linked to this issue is the fact that emerging technologies, such as Quantum and AI, are set to bring about new cybersecurity challenges for organizations in the coming years.

For example, security experts are already warning of the cyber-threat implications of OpenAI’s ChatGPT, such as its potential to be used to create malware and sophisticated phishing campaigns.

Encouragingly, governments are attempting get ahead of the curve in these areas. In the US, the Quantum Computing Cybersecurity Preparedness Act was signed into law in December 2022, which is designed to secure federal government systems and data against the threat of quantum-enabled data breaches.

Additionally, the National Institute of Standards and Technology (NIST) is currently working on developing its post-quantum cryptographic standard to help organizations implement the necessary tools to withstand quantum-enabled cyber-attacks.

In the UK, the government is taking strides to help organizations tackle the threats posed by AI. For example, the National Cyber Security Centre (NCSC) issued guidance in September 2022 designed to help organizations mitigate adversarial machine learning. In March 2023, the government published a policy paper on AI regulation, which includes the implications of AI development for cybersecurity.

A Multi-Faceted Approach

The past few years have seen a surge in cybersecurity and data protection legislation, and, as a relatively new area of government policy, the legal framework will undoubtedly be refined going forward.

While regulation is an important step in securing critical systems and data, a prescriptive approach is not desirable in such a rapidly evolving sector. Instead, laws must be developed in conjunction with industry and practitioner-led initiatives, and security teams must retain a flexible posture when dealing with threats.

An example where a multi-pronged approach appears to be working well is in relation to ransomware, where a marked decline in extortion payments is being observed following an explosion of incidents in 2021.

A report by Chainalysis in early 2023 identified a range of factors why victim organizations are less likely to pay extortion demands. These included government guidance and sanctions around particular groups and individuals, which is creating more legal implications around paying ransomware actors.

Another important factor was cyber insurance, with insurers becoming stricter about areas they will pay out for, and also demanding enhanced cybersecurity measures in clients, including tools and processes that allow them to recover quickly from a ransomware attack. 

Enjoyed this article? Make sure to share it!

Looking for something else?