In 2017, the new administration will push for more legislature around cybersecurity, but it will be ultimately ineffective.
There is a general misconception that legislation deters cyber-attackers — whether from nation-state or financially motivated actions. International agreements like the Wassenaar Agreement and other local and national laws are still a major topic of discussion, particularly headed into 2017. The problem is, none of these laws will be effective because they are either difficult to enforce or simply unrealistic, or both. In fact, there are laws already in place, such as those for consumer protection, breach notification and data regulations, that have still left us with Sony- and Yahoo-scale breaches.
For example, if we look at the Wassenaar Agreement attempt, they tried to specify that vulnerabilities are akin to weapons, in order to stop people from selling them and weaponizing them. The net effect would actually be criminalization of legitimate security research and increased trading of vulnerabilities in the underground, with an increase in prices. Those who sell directly to the underground market will find whatever ways they can to bypass the regulation, while helpful research that could benefit the industry would be hindered.
Wassenaar could lead to the eradication of third-party bug bounty. As a result, over time, “play-it-safe” researchers could be more tempted to go the underground route, ironically defeating the actual purpose of such a regulation to begin with. If a global nuclear treaty didn’t work, we cannot assume that a global cyber treaty would work, especially given that cyber activities are difficult to attribute to a specific nation-state.
This brings us to another problematic issue from a legal standpoint — attribution. While cyber attacks can be just as dangerous as physically stealing something (sometimes more dangerous), it is incredibly hard to identify the perpetrator. For instance, if someone steals a car they can be identified as the culprit through surveillance cameras, a bystander, forensics, or if they are found driving the car. If someone takes control over a car remotely through its software system, they are not seen, and even the IP trail could have been altered. Expert hackers are good at covering their tracks online.
As record-breaking breaches rise and mass awareness of cybersecurity issues increase, there will undoubtedly be a surge of legislation proposed in 2017 to attempt to mitigate the risks. Due to difficulties with enforcement and attribution, such laws will be ultimately ineffective.
What then should the government do?
- Regulate vulnerability disclosure. This takes the 90-day window for vulnerability disclosure, which has been industry practice for some time, as an actual regulatory requirement. There will still need to be issues to wrinkle out, such as how to enforce such a law, what happens when a patch cannot be developed in just 90 days, etc. The idea though is to put the onus on software vendors to resolve vulnerabilities within a reasonable window to reduce risk.
- Enforce penalization of companies that do not keep up with a security standard. There is no need for more regulations and standards. Breaches occur even for companies that are PCI-compliant, for instance. What we need are consequences for failure to follow reasonable security standards. For instance, data breach notification rules are applicable only if the companies are caught. This creates an opening for opportunistic vendors to search for stolen or leaked data on underground forums and sell it back to the victim without the company having to disclose that breach. Proper enforcement and penalization would stop this type of bottom-feeding activity and motivate companies to step up their security game.