Thanks to Vlad “The Invader” Putin, the EU, UK and US are fast-tracking cyber laws, transcending partisan politics will bring the US up from being 20 years behind the European Union (EU) level of regulation, to only six years behind by the end of 2022. But some experts think the laws and regulations lack proper incentives beyond fines and prosecution.
The EU set the standard in 2020 with updates to existing regulations. The Network and Information Systems (NIS) Regulations established in 2018 implemented the EU Cybersecurity Directive of 2016. Since the directive was set prior to Brexit, the UK laws mirror the EU’s.
Under the NIS Regulations, essential services businesses and digital service providers must register with the relevant competent authorities. They need to meet a baseline level of cybersecurity requirements and report incidents with a significant impact on their services. In 2020 there were several changes to the regulations.
- Adding managed services, including cloud computing, to the broader ‘digital services’ definitions.
- A new proactive supervision tier for service providers to governments, infrastructure and military, and reactive supervision tier for everyone else.
- New powers enabling the government to update the regulations.
- Expanded reporting duties to include significant incidents even if they don’t impact services.
The most significant change is adding managed services beyond government and infrastructure to the mix. This includes service providers with privileged access or connectivity to customer data, IT infrastructure, networks and systems. The regulation covers service providers even if they don’t perform functions like processing and/or storage of confidential or business-critical data. Examples include managed print services, WAN support services, security monitoring, BPO, application management and data analytics services.
Hot on the heels of the EU regulations in the U.S. is Senate Bill 3600, also known as the Strengthening American Cyber Security Act (SACA) of 2022. The law updates the 2012 Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA) of 2002. The third part of the package is a new law, The Cyber Incident Reporting for Critical Infrastructure Act of 2022. Of the three, the latter was most controversial over the fact that it gave 72 hours for service providers to report an incident. The fact that there was no requirement for reporting before seems to have been lost in the conversation.
These were combined by Congress because some legislators wanted to be sure that none got passed before the others. But the real impetus was the fear of a massive cyber retaliation from Russia over sanctions. The impact of the laws bring US cyber regulations to par with the EU … in 2016. Government and critical infrastructure is covered but nothing else. However, observers see the legislation as a big step in the right direction.
Fernando Montenegro, Senior Principal Analyst on Cybersecurity Infrastructure at Omdia, pointed out that most US organizations don’t know where to start when it comes to properly securing data.
“SACA clarifies a broad set of requirements that we would expect prudent organizations would already be doing – or be in a good position to adopt – anyway,” he said. Security professionals in organizations affected by this legislation, now have one more arrow in their quiver as they look to push ahead with security initiatives.”
But whether the laws are a help or hindrance depends on how closely organizations study and comply with the specifics.
Carrot and stick
“There are specific timelines for reporting incidents but also a relatively broad definition of sectors it applies to,” he explained. “There are positive incentives – such as stopping disclosure of information – as well as negative ones – the threat of being held in contempt for not providing information in a timely manner.”
The civil and criminal penalties for exposing personal information encourage compliance. However, law enforcement agencies around the world say most breaches go unreported even when disclosure is required. One expert is recommending adding a carrot with the stick.
Ian Thornton-Trump, CISO for security consultancy Cyjax, thinks companies should get a tax credit, not just a business deduction, based on a percentage of revenue.
“First of all, (a credit) would stabilize the tech industry, right across the board. The second thing is businesses would be more protected,” he predicted. “We can’t completely get rid of cybercrime because there’s a giant $400 billion dollar a year business in cybercrime. But the next best thing would be to feed and sustain (the cybersecurity) industry to protect the growth potential of the economy.”
Report all breaches
Thornton-Trump said the EU, UK and US laws are a good step forward in aligning data privacy laws, pointing out that before SACA, there were 52 state and territorial sets of laws of varying effectiveness. And before the GDPR there were 27 sets among the EU members. He thinks, however, that the current regulations in both the EU and US don’t go far enough. He points out the laws focus only on the protection of personal identity. “A company can lose billions of dollars in intellectual property without a single customer record or employee record being stolen. So data breaches, in general, need to be reported, not just ones with personal, personal sensitive information.”
Apparently, while we’ve come a long way, we still have aways to go before we have an effective cybersecurity policy.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.