Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Forecast cybersecurity regulation v3
1. Summary
Due to the volatility, force and pace with which technological innovation is moving through the
global economy, cyber risk has become the biggest contemporary threat to all actors, especially
private enterprise.
Taking a regulatory perspective must be a key part of any overall successful strategy. However,
as regulations are growing increasingly complex, doing the minimum in compliance is not
enough anymore. It is evident, more and more, governments and customers will view a
provider’s security posture less from a compliance perspective and more as a competitive
differentiator. A provider of products and services will have to consider compliance simply as
the ante to earn the right to compete in the marketplace.
Drivers for regulations are most abundant in Financial Services; Healthcare;
Telecommunications; Critical Infrastructure and Government systems.
Despite high profile breaches — from Target to Yahoo — legislation to toughen data protection
standards hasn't gained traction, but it's not for lack of an effort.
A search for "cyber security" yields 141 pieces of legislation — including bills and amendments
— that have gone before the 115th Congress with those words in the title or body and cover a
variety of areas.
Given the current focus of the Administration to “deregulate” and a partisan Congress, it is less
likely that sweeping national new regulation will be realized over the next two years. This
means that the States (like what we are seeing from California, Maryland and New York) will be
driving a great deal of the regulatory changes. It is more than fair to say that regulation alone
does not make any system more secure. Coming to terms on consistent metrics will be key. One
cannot manage what one cannot measure.
The Challenge in Cybersecurity Regulation
Cybersecurity is a fast-morphing mix of adapting new behaviors in people to new ways of doing
things and with even newer technologies. This means that making any assumptions about what
regulations will be needed six days; six weeks; and six months from now is more than
2. Page 2
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
problematic. Most legislation is initiated well after the fact and driven by a wave of litigation
and special interest lobbying. Meaningful cyberwarfare requires a more expeditious approach.
To regulate something, you must know all the players; the expected and desired actions of each
of the players and the mutually agreed upon desired outcome. To leverage the sports
metaphor, we know the right number of players in the game; their positions relative to one
another and what it means to score a point.
In the cyber world, we can’t know all the players; we cannot predict “how” they will arrive to
play; whether they come to “score points” or to simply disrupt the game; and the rules, as
outlined, are merely guideposts for what to avoid. And, currently, only one team plays offense
and the other defense, throughout the competition. This game never ends.
In order for citizens, governments, and industries to be able to begin to effectively regulate
cybersecurity, we must find a common definition of terms; a comprehensive series of
meaningful metrics; a consensus on approach; a consistent application across geographies; a
constructive incentive scheme and a crushing global deterrent.
The current internet infrastructure and regulatory frameworks are poorly tailored to keep pace
with the evolution of the internet and the digital realm in general. A very significant number of
NIST publications are in the process of being revised, rewritten and/or retired based on the
introduction of new technologies and the obsolescence of others…and most of these
publications were mostly written since in this millennia. NIST Special Publication 800-53 Rev. 1
was published in 2008.
Therefore, a majority severely lag behind present technology and threat level awareness. This is
because the internet infrastructure was not designed to cope with present data quantities and
the myriad of actors challenging the very scope and content of it.
Cyber security legislation and
compliance – if come into force –
is ever-shifting. Consequently, it is
crucially important that companies
anticipate tomorrow‘s regulatory
environment. In particular, when
they are active in multiple
jurisdictions, it is fundamental to
systematically track evolving laws
and regulations in order to be able
to respond to legal and political
challenges on time.
3. Page 3
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
Which Laws Kick Started Cyber Regulations?
There are three main federal cybersecurity regulations
1996 Health Insurance Portability and Accountability Act (HIPAA)
1999 Gramm-Leach-Bliley Act
2002 Homeland Security Act, which included the Federal Information Security
Management Act (FISMA)
These three regulations mandate that healthcare organizations, financial institutions, and
federal agencies should protect their systems and information. However, these rules are not
foolproof in securing the data and require only a “reasonable” level of security.
For example, FISMA, which applies to every government agency, “requires the development
and implementation of mandatory policies, principles, standards, and guidelines on information
security”.
But, these regulations do not address numerous computer-related industries, such as Internet
Service Providers (ISPs) and software companies. Furthermore, the vague language of these
regulations leaves much room for interpretation.
More Recent Federal Cybersecurity Laws
In a recent effort to strengthen its cyber security laws, the federal government is introducing
several new cyber security laws as well as amending the older ones for a better security
ecosystem. Amendments and expansion of these existing laws could happen well before any
new regulation is passed. Below are a few of them:
Cybersecurity Information Sharing Act (CISA): Its objective is to improve cybersecurity
in the United States through enhanced sharing of information about cybersecurity
threats, and for other purposes. The law allows the sharing of Internet traffic
information between the U.S. government and technology and manufacturing
companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in
the Senate October 27, 2015
Cybersecurity Enhancement Act of 2014: It was signed into law December 18, 2014. It
provides an ongoing, voluntary public-private partnership to improve cybersecurity and
strengthen cybersecurity research and development, workforce development and
education and public awareness and preparedness.
4. Page 4
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
Federal Exchange Data Breach Notification Act of 2015: This bill requires a health
insurance exchange to notify each individual whose personal information is known to
have been acquired or accessed as a result of a breach of security of any system
maintained by the exchange as soon as possible but not later than 60 days after
discovery of the breach.
National Cybersecurity Protection Advancement Act of 2015: This law amends the
Homeland Security Act of 2002 to allow the Department of Homeland Security’s (DHS’s)
national cyber security and communications integration center (NCCIC) to include tribal
governments, information sharing, and analysis centers, and private entities among its
non-federal representatives. There have been very recent moves to create centers for
cybersecurity expertise and focus driven out of the DHS.
Reiterating that most regulation is as a result of a great deal of litigation and well documented
history cyber security losses, sustainable regulation has to be driven by collaborative efforts on
both sides of the aisle in Congress. In the current session of Congress, over 141 pieces of cyber
related legislation has been introduced.
Working against rapid adoption of many of these efforts are aggressive efforts by the current
Administration to deregulate; lobbying for industries resisting regulation; partisan politics; lack
of consistent interpretation of terms, outcomes, approaches, metrics and enforcement entities;
jurisdictional conflicts; geographic dispersion; and the absence of a genuine economic
incentive.
Note: To explore the Acts (and Amendments) in Congress in this session regarding Cybersecurity:
https://www.congress.gov/search?q=%7B%22congress%22%3A%22115%22%2C%22source%22%3A%22
legislation%22%2C%22search%22%3A%22cybersecurity%22%7D&searchResultViewType=expanded
In the Absence of Federal Laws We Will See More from State Laws
State governments also have taken sincere measures to improve cyber security by increasing
public visibility of firms with weak security.
Cybersecurity Laws of California
In 2003, California passed the Notice of Security Breach Act which requires that any
company that maintains personal information of California citizens and has a security
breach, must disclose the details of the event. The security breach regulation
regulations punish firms for their cyber security failures while giving them the freedom
to choose how to secure their systems.
5. Page 5
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
This regulation creates an incentive for companies to proactively invest in cyber security
to avoid potential loss of reputation and economic loss. This worked well for California
and later several other states have implemented a similar security breach notification
regulations.
Cyber Security Laws of New York
The financial services industry is a significant target of cyber security threats. Over the
past few years, the New York State Department of Financial Services (“DFS”) has been
closely monitoring the ever growing threat posed to information and financial systems
by nation-states, terrorist organizations, and independent criminal actors.
Given the seriousness of the issue and the risk to all regulated entities, certain
regulatory minimum standards are warranted, while not being overly prescriptive so
that cyber security programs can match the relevant risks and keep pace with
technological advances.
Accordingly, this regulation is designed to promote the protection of customer
information as well as the information technology systems of regulated entities. This
regulation requires each company to assess its specific risk profile and design a program
that addresses its risks in a robust fashion.
The New York Cyber Security regulation has been effective since March 1, 2017.
Covered Entities will be required to annually prepare and submit to the superintendent
a Certification of Compliance with New York State Department of Financial Services
Cybersecurity Regulations commencing February 15, 2018.
More State Regulations to Come
Cybersecurity continues to be a concern for government and the private sector. It has
enormous implications for government security, economic prosperity and public safety.
States are addressing cybersecurity through various initiatives, such as providing more funding
for improved security measures, requiring government agencies or businesses to implement
specific types of security practices, increasing penalties for computer crimes, addressing threats
to critical infrastructure and more.
At least 35 states, D.C. and Puerto Rico introduced/considered more than 265 bills or
resolutions related to cybersecurity. Some of the key areas of legislative activity include:
• Improving government security practices.
• Providing funding for cybersecurity programs and initiatives.
• Restricting public disclosure of sensitive government cybersecurity information.
• Promoting workforce, training, economic development.
6. Page 6
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
At least 22 states have enacted 52 bills so far in 2018. Every day, more regions introduce new
privacy and data protection bills on their way to become law.
http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-
legislation-2018.aspx
A Glimpse into a Globalized Regulatory Future
Nothing in recent history has had a global impact on industry as much as the General Data
Protection Regulation (GDPR). The expected departure of the UK from the EU (Brexit) will most
certainly be a catalyst for additional regulation.
By mid-2019, forced compliance of the NIS Directive by the EU member states will take place.
Therefore it is important to know if our business is effected by the NIS, what it requires us to
do, and what this might mean in the years to come.
https://www.ncsc.gov.uk/guidance/introduction-nis-directive
The premise behind the NIS Directive is a need to improve the security of network and
information systems across the UK, with a particular focus on essential services which if
disrupted, could potentially cause significant damage to the economy, society and individuals’
welfare.
The technical requirements for the NIS Directive are limited. In order to enforce compliance
with local regulation, a government must designate Competent Authority's (CAs) having the
power to judge whether operators of critical infrastructure are complying with the regulation.
CAs are part of existing government agencies, although their structure can be different in each
country. For example, in the UK there is a CA for each sector such as railroads and energy,
where the Germans rely on a single CA which is the BSI (Bundesamt für Sicherheit in der
Informationstechnologie).
Since the implementation of the NIS in local regulation is very recent, it still has to be shown
how these CA’s will adopt their new responsibilities.
A Small Sample New Global Requirements
Cyber standards are being raised throughout Europe and Asia as well, with national
governments encouraging tighter security measures when working with the private sector.
European Union: The new Network and Information Security (NIS) Directive calls for
additional security protocols specific to government agencies when utilizing digital
service providers and considers extending these measures to contractors and suppliers
United Kingdom: In order to qualify for government awards, private sector government
contractors must comply with the Cyber Essentials Scheme, involving protection of
citizens’ personal information or government data classified at the “Official” level and
above. From 1 October 2014, Government requires all suppliers bidding for contracts
7. Page 7
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
involving the handling of certain sensitive and personal information to be certified
against the Cyber Essentials scheme (base cost of about £300)
https://www.cyberessentials.ncsc.gov.uk
Australia: Government contractors and suppliers must comply with Protective Security
Policy Framework (PSPF) and Information Security Manual (ISM) requirements; the
Department of Finance requires suppliers to include data protection plans using industry
accepted standards with their proposals/contracts and are required to report breaches.
Australia’s Notifiable Data Breaches scheme
The NDB scheme applies from 22 February 2018 to all agencies and
organizations with existing personal information security obligations under the
Privacy Act. It was established by the passage of the Privacy Amendment
(Notifiable Data Breaches) Act 2017.
The scheme includes an obligation to notify individuals whose personal
information is involved in a data breach that is likely to result in serious harm.
The notification must include recommendations about the steps individuals
should take in response to the breach. The Australian Information Commissioner
(Commissioner) must also be notified of eligible data breaches.
Who must comply with the NDB SCHEME?
The NDB scheme applies to agencies and organizations that the Privacy
Act requires to take steps to secure certain categories of personal
information. This includes Australian Government agencies, businesses
and not-for-profit organizations with an annual turnover of $3 million or
more, credit reporting bodies, health service providers, and TFN
recipients, among other
Breach Notification Form:
https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-
NDB
Japan: Contractors are required to abide by security policies aligned with government
procurement guidelines.
To Anticipate What Will Need Regulating
Regulations become dated the moment they are placed into effect. Trying to anticipate where
regulation will be needed can be driven by what trends in technologies we can forecast.
8. Page 8
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
These trends bring together technologies with the potential to initiate lasting transformation in
the digital ecosystem, which we define as all of the infrastructure, software applications,
content, and the social practices that determine how the ecosystem is used. The largest trends
are as follows:
1. Cloud computing
2. Big data
3. The Internet of things
4. Mobile Internet
5. Brain-computer interfaces
6. Near-field communication (NFC) payments
7. Mobile robots
8. Quantum computing
9. Internet militarization/weaponization
10. Blockchain and open journaling technologies
11. Crypto Currencies
A Consensus on Predictions that will Impact Cybersecurity
1. While Governments and Private Enterprise Slowly invest In Artificial Intelligence to
support Cyber security, Attackers will aggressively invest in AI to aid in their attacks.
2. Growing 5G Deployment will open up a new dimension in cyber-attack surfaces
A number of 5G network infrastructure deployments kicked off this year, and 2019 is
shaping up to be a year of accelerating 5G activity. While it will take time for 5G
networks and 5G-capable phones and other devices to become broadly deployed,
growth will occur rapidly. IDG, for example, calls 2019 “a seminal year” on the 5G front,
and predicts that the market for 5G and 5G-related network infrastructure will grow
from approximately $528 million in 2018 to $26 billion in 2022, exhibiting a compound
annual growth rate of 118 percent.
Over time, more 5G IoT devices will connect directly to the 5G network rather than via a
Wi-Fi router. This trend will make those devices more vulnerable to direct attack. For
home users, it will also make it more difficult to monitor all IoT devices since they
bypass a central router. More broadly, the ability to back-up or transmit massive
volumes of data easily to cloud-based storage will give attackers rich new targets to
breach.
9. Page 9
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
3. IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous
Forms of Attack
4. Attackers will increasingly Capture Data in Transit
In 2019 and beyond, we can expect increasing attempts to gain access to home routers
and other IoT hubs to capture some of the data passing through them. Malware
inserted into such a router could, for example, steal banking credentials, capture credit
card numbers, or display spoofed, malicious web pages to the user to compromise
confidential information.
5. The Supply Chain will Become (more than it already has) an Attack Target
An increasingly common target of attackers is the software supply chain, with attackers
implanting malware into otherwise legitimate software packages at its usual distribution
location. Such attacks could occur during production at the software vendor or at a
third-party supplier. The typical attack scenario involves the attacker replacing a
legitimate software update with a malicious version in order to distribute it quickly and
surreptitiously to intended targets. Any user receiving the software update will
automatically have their computer infected, giving the attacker a foothold in their
environment.
These types of attacks are increasing in volume and sophistication and we could see
attempts to infect the hardware supply chain in the future. For example, an attacker
could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS
before such components are shipped out to millions of computers. Such threats would
be very difficult to remove, likely persisting even after an impacted computer is
rebooted or the hard disk is reformatted.
6. Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory
Activity
The European Union’s mid-2018 implementation of the General Data Protection
Regulation (GDPR) will likely prove to be just a precursor to various security and privacy
initiatives in countries outside the European Union. Canada has already enforced GDPR-
like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to
enter into force in 2020. Singapore and India are consulting to adopt breach notification
regimes, while Australia has already adopted different notification timelines compared
to GDPR. Multiple other countries across the globe have adequacy or are negotiating
GDPR adequacy. In the U.S., soon after GDPR arrived, California passed a privacy law
considered to be the toughest in the United States to date. We anticipate the full impact
of GDPR to become clearer across the globe during the coming year.
At the U.S. federal level, Congress is already wading deeper into security and privacy waters.
Such legislation is likely to gain more traction and may materialize in the coming year.
10. Page 10
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
Inevitably, there will be a continued and increased focus on election system security as the U.S.
2020 presidential campaign gets underway.
While we’re almost certain to see upticks in legislative and regulatory actions to address
security and privacy needs, there is a potential for some requirements to prove more
counterproductive than helpful. For example, overly broad regulations might prohibit security
companies from sharing even generic information in their efforts to identify and counter
attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities
even as they close others.
How Can Regulators Narrow the Gap?
Rather than concede defeat, Regulators can do more to stay abreast of the challenges
presented by emerging technologies if they were to:
1. Develop and deploy permanent monitoring procedures and tools, the purpose of
which will be to monitor the development of the digital ecosystem by surveying the
various actors and interactions, and to assess the effects of these transformations on
cyber security.
2. Align the regulatory regimes applicable to the various infrastructures, applications
and content with the resources and strategies implemented by a growing number of
government actors, as well as their private partners, in order to quickly detect emerging
digital risks and limit their impact on a constantly evolving ecosystem.
3. Initiate an in-depth consultation and reflection exercise to formulate proposals on
how to restructure existing government institutions or create new ones to adapt the
government’s intervention and coordination abilities to the new needs.
4. Intensify empirical research on the transformations of risks, standards and practices
associated with privacy protection in the digital ecosystem.
5. Accentuate coordination and knowledge-transfer initiatives of national and state
authorities in order to accelerate and standardize the development of local capabilities.
This will require a near complete collaboration of efforts at the local; national and international
levels.
One recognized and recommended approach is for the Federal Government to establish a
single Agency with a consolidating charter and authority to drive advancements in
cybersecurity.
To succeed, it should be that the national cybersecurity agency has appropriate statutory
powers: Currently, most national cybersecurity agencies are established not by statute but by
the delegation of existing powers by other parts of government. We anticipate that this
approach will need to change with the passage of comprehensive cybersecurity laws. The
11. Page 11
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
delegation of existing powers, which may be subject to multiple underlying regulations, may
not be sufficient to provide the national cybersecurity agency with all of the powers it requires
to effectively carry out its new functions.
Currently, the Department of Justice has both the FBI and the National Cyber Investigative Joint
Task Force (NCIJTF). The Department of Homeland Security and the Office of the Director of
National Intelligence (DNI) apply themselves to the Cyber Threat Intelligence Integration
Center. Meanwhile, the Federal Trade Commission (FTC), the Secret Service and the National
Institute of Standards and Technology (NIST) make occasional joint efforts to bolster the
nation’s cybersecurity readiness. In February 2018, the Department of Energy (DOE)
announced the establishment of the Office of Cybersecurity, Energy Security and Emergency
Response (CESER). The DOE’s program intends to target energy infrastructure in the country.
COMPLIANCE as a Leader and Not
Simply a Monitor
Cyber security risk usually extends to
all business units, operational units,
employees and key third parties. That
is why the compliance function is
growing as a critical role. Whenever
organizations need to do something
on an ongoing and systematic way,
where people are to be held
accountable, Compliance is front and
center. Here are five ways Compliance can play a pivotal role in a cross-functional approach to
cyber security.
1. Own or Implement a Cyber Risk Assessment
Compliance regularly operates in the world of risk assessments and understands how to
identify an organization’s greatest risk by developing a comprehensive risk profile. With a full
understanding of a company’s risks and threats, Compliance can guide an organization’s
approach and control environment to effectively manage and mitigate risks while at the same
time deploying scarce resources toward the most significant among them.
2. Embed Regulatory Requirements into Business Operations
As with other enterprise-wide risks, cyber security is a regulatory compliance challenge for an
increasing number of companies. As mentioned above, there is a growing number of fairly
nuanced regulations addressing cyber security that apply to private and public sectors, specific
industries, and specific data sensitivities. The compliance function has the competence to
design and implement policies, procedures and controls that meet these requirements.
12. Page 12
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
3. Connect the Functional Dots Across the Organization
Cyber security is an enterprise-wide risk and requires a cross-functional approach for
management. Compliance is skilled in building a systematic approach across an enterprise. It
has the regular contact and seniority to engage effectively with the C-suite, Legal, HR and other
functional and operational teams. Compliance can connect the dots across an organization.
4. Address the “People & Processes” of Cyber Security
Cyber security involves an integrated approach to “people, processes and technology.” The
compliance function has deep insights into how to engage broadly with employees and how to
collect and analyze data through the monitoring and audit processes needed to manage risks.
This proficiency in influencing employee behavior and organizational culture are necessary skills
needed to complement the protection efforts deployed by the technology function.
5. Developing & Tracking Program KPIs
As another aspect of monitoring, Compliance has expertise in developing key performance
indicators (KPIs) and specific metrics to track progress and ROI, as well as developing a rhythm
for board reporting, and reporting externally, as appropriate. Consistent application of KPIs will
help cyber security programs mature over time with a cadence toward continuous
improvement. Being on a trajectory of maturing practices not only builds stronger resilience but
also demonstrates to customers, partners and regulators, as needed, a commitment to risk
management, compliance and best practices.
Now, more than ever, Compliance must play an integral part in any organization’s cross-
functional cyber security program to make sure such efforts are enterprise-wide, consistent
with regulatory requirements and embedded in how the company operates and its people
conduct their work. As with other compliance issues, organizations will need to be in a position
to tell their story of continuous improvement through KPIs, metrics and demonstration of using
best practices.
CONCLUSION
There are cries to regulate the disruptive tech giants to include Google, Amazon, Twitter and
Facebook. Not only are their business models being scrutinized but the pervasiveness of their
emerging connected environments (auto driving vehicles; artificial intelligence; Internet of
Things; telecommunications and more!) challenges the idea of effective self-regulation.
Not to make a political statement but, in this next two years under an administration bent on
Deregulation (as we have seen with many consumer protection laws; environmental and
financial services regulation) and with partisan divisions, we are less likely to see any major
13. Page 13
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
sweeping national regulations get through Congress. This will mean that the individual States
(as we are seeing with California, New York and Maryland) will drive more regulating strategies.
Final thoughts
Perhaps redundantly, it has to be stressed that cybersecurity should not and cannot be driven
by regulation. Regulatory relief comes too late. The drivers of innovation and inventiveness
come from business drivers and the strong desire to “be first!” in a competitive society.
References
Cyber Laws and Trends: How the Internet Just Became a Crime Scene, By Steve Surfaro, PSWG, Security Industry
Association, April 30, 2018
Cybersecurity Futures: How Can We Regulate Emergent Risks? Benoit Dupont, July 2013
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,
Issued on: May 11, 2017 2018 Study on INFRASTRUCTURE & TECHNOLOGY
Benchmark research sponsored by Raytheon. Independently conducted by Ponemon Institute LLC. February 2018
Risk Management Solutions, Inc. March 2018 CYBER RISK OUTLOOK 2018
Top 18 Prediction Security Predictions for 2018, BY DAN LOHRMANN / JANUARY 4, 2018
DUFF & PHELPS, GLOBAL REGULATORY OUTLOOK, 2018, MAY 8, 2018
2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards, June
5, 2018 — by Carl Herberger
Appknox, “A Glance at the United States Cyber Security Laws,”
Accenture Security, 2017 Cyber Threatscape Report: Midyear Cybersecurity Risk Review-
Forecast and Remediations. Accenture Security 2017