How Government Regulations Can Aid Cybersecurity Defenses
Just as no man is an island, no organization is, either. Every entity, whether public or private sector, operates in an ecosystem of partners, suppliers, customers, regulators, governing bodies and everyone in between. And while we all have to be responsible for our own operations, we must do so in a way that takes into account that broader ecosystem. This is as true for innovation and commercial gain as for cybersecurity, risk and regulation. In cybersecurity, for instance, we all have a responsibility to ensure that our threat defenses are up-to-date, that our teams are educated and aware of common threats, and that we gather, store and use sensitive data appropriately. But we must also be conscious of our responsibilities as part of the wider community, adhering to regulations and government legislation, just as we would in other areas.
Cybersecurity Regulations Boom
It’s just as well because, over the last few years, we’ve seen an increase in cybersecurity regulations, particularly focusing on financial services. In the U.S., the Securities and Exchange Commission (SEC) listed cybersecurity as one of its examination priorities in 2022. In the UK, the Financial Conduct Authority and the Prudential Regulation Authority released a series of policies to provide guidance on operational resilience, covering cybersecurity. In Asia, the Monetary Authority of Singapore (MAS) issued a set of legally binding requirements to raise security standards in the financial sector.
The message from the authorities is pretty clear: Even if you didn’t think cybersecurity was an issue, the major financial jurisdictions expect you to act like it is. It’s a very prescriptive approach to cybersecurity, and some might feel like it’s a bit of an overreach. However, the implications of cyberattacks and cybersecurity threats will present a larger headache than regulatory compliance when operating a business.
Creating Consistency in Cybersecurity
But with the world’s digital footprint expanding, regulation is not just about people following rules but about creating a consistent standard that all of us committed to fighting cyberthreats can work from. That’s why president Joe Biden’s executive order on improving the U.S.’s cybersecurity, and its mention of a software bill of materials (SBOM), is so important.
An SBOM is a common way of preventing issues by identifying the components used within software. With so much of the software developed using a variety of pre-existing code, establishing provenance can be challenging. An SBOM acts like a list of ‘ingredients’, which allows the developer to proactively update based on new package releases, acting promptly when zero-day exploits like Log4J materialize or updates are released.
From a software consumer perspective, an SBOM adds peace of mind that the software vendor’s practices, transparency and maturity are of a necessary standard.
Sharing Experiences for Better Defenses Against Threats
Creating an equal playing field is a crucial part of the government, whatever the industry. But with cybersecurity blurring the boundaries of what’s a matter for the private sector and what’s of national (and, therefore, state security) importance, greater coordination between the two spheres is necessary.
It has become increasingly evident that strong cybersecurity and incident response plans are vital to maintain data and system integrity and reduce cyberattacks’ potential impact. Communication between government agencies and industry leaders is critical to help all market participants understand past attacks, evaluate potential threats and improve overall risk posture.
That’s why initiatives like the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) and the UK Government Cyber Security Strategy (GCSS) are significant: They aim to combine the best of both public and private sector knowledge and deliver meaningful recommendations to all businesses.
This mix of government leaders and industry professionals will be able to share exciting and valuable best practices and recommendations through their knowledge and understanding of major cyber events and communicate detailed information on past intrusions. In addition, the CSRB’s commitment to remaining transparent is what we will need to build more cyber resilience and integrity, ensuring we have the most robust protection for our critical businesses, networks and infrastructure.
Improving Knowledge Through Enhanced Threat Intelligence
The very nature of cyberattacks means a strong, mutually beneficial relationship between industry and government is not just preferable but absolutely critical. We may well have a situation where a new type of attack is trialed on smaller businesses before it is used to attack increasingly more significant targets. How valuable would it be if governments were able to receive intelligence on those attacks and incorporate it into their threat planning? In the same way, there will be learnings that governments can share gleaned from their experiences dealing with attacks on national infrastructure.
This threat intelligence must be shared in a way that is coordinated and available to everyone, whether government departments, private businesses or cybersecurity specialists. Thankfully, it’s a requirement that is being met: In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) regularly publishes top routinely exploited vulnerabilities, highlighting where threat actors are focusing their efforts. In the European Union, the European Union Agency for Cybersecurity (ENISA) releases annual threat landscape reports, identifying threats and attack techniques and offering relevant mitigation measures. These resources provide insight into the evolving threat landscape and current trends, helping to inform organizational cyber preparedness and plans.
Protecting the Ecosystem
The world is only going to get more regulated. While this can sometimes seem suffocating, the proper rules and government input can have immense value when it comes to cybersecurity. Creating standards so everyone operates consistently, improving the sharing of threat intelligence and ensuring that all entities have access to up-to-date information will help everyone, both public and private, to deal with the latest attacks. It is only through this ongoing cooperation, across the ecosystems all entities operate in, that will ensure threat actors are frustrated in their efforts to hurt critical infrastructure and businesses.