Story image

Should the Government regulate cybersecurity?

13 May 16

By Jon McGettigan, Fortinet senior director ANZ and South Pacific Islands

It has been famously said that, “the wheels of justice turn slowly.” That’s partly because the process most governments use when creating regulations and laws encourages debate, the careful examination of all sides of an issue, and the development of bartered consensus between groups with differing needs and opinions. In the modern era, this model has been very successful at promoting economic success while balancing personal freedom with social accountability.

This model is less effective, however, when it comes to regulating highly dynamic issues like cybersecurity. Networks, devices, applications, and services are changing at an exponential rate. Users and organisations are wrestling with threats on devices that didn’t even exist 18 months ago. So trying to codify cybersecurity regulations can be a lot like trying to paint a racecar as it zips around the track.

Which is why Australia is trying something new. Prime Minister Malcolm Turnbull last week announced a new $230 million cyber security strategy. Based on a year-long study of the industry, it focuses on closer collaboration between government, business, and individuals. It is comprised of three objectives:

1.  Making Australians aware of cyber risks, and helping them secure their computers and take steps to protect their identities, privacy, and finances online

2.  Helping Australian businesses operate secure and resilient information and communications technologies to protect the integrity of their own operations and the identity and privacy of their customers

3.  Ensuring that Australian Government information and communications are secure and resilient

As a key component of Objective Two, the Australian federal government will offer cyber security 'health checks' to Australia's top-100 ASX-listed companies. It is also hoping to set up voluntary guidelines "co-designed with the private sector" to help organisations improve their cyber security resilience.

The announcement has received mixed reviews from industry experts. Some feel that the inherent risk of cybercrime and the costs of a public breach, combined with the desire to offset risk with new tools such as cyber insurance, will naturally drive organisations to create and adopt more aggressive cybersecurity standards.

Others are more sceptical. Most notably, this new strategy omits the mandatory reporting of security breaches, something required in places like the US and Europe. And some feel that without specific regulations, many organisations will delay critical security upgrades.

They cite that many organisations are already aware of the risks, and still have substandard security implementations. Many are specifically concerned about those organisations that manage critical infrastructure, or where a cyber attack could put Australian citizens at risk, either financially or physically.

And this is where it gets tricky. Make regulations too specific, and the evolution of the technology will quickly outpace requirements. Make them too generic, and their ambiguity dilutes their effectiveness. And one size fits all standards are hard to impose across the entire spectrum of businesses. So what do we do?

Fortunately, there are models that have been pretty effective. The Payment Card Industry Data Security Standard (PCI-DSS), for example, targets a very specific business activity: the processing of credit card transactions. It has been globally adopted, the requirements are straightforward, and the penalties are severe enough to ensure compliance. 

Other standards are designed to protect the privacy of individuals. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the US regulates the use and disclosure of protected health information. Many countries have adopted similar regulations designed to protect individual personally identifiable information (PII).

Other regulations have adopted a strategy of holding corporate board members personally liable if a breach occurs in a publicly traded company and it is shown that the company failed to implement adequate security based on best practices in their industry.

Nothing motivates action or frees up budget quite like personal liability.

Regardless of the outcome of Australia’s new cybersecurity strategy, we can all agree on a few things:

1. There is a huge, and growing, security skills shortage, which makes planning, designing, implementing, and optimising a security strategy increasingly difficult for many organisations.

2. Networks are becoming increasingly complex. It is not uncommon for organisations to have siloed security solutions from dozens of security vendors plugged in across their networks. This is not a strategy that can scale effectively for long.

3. A second set of eyes on your security environment, which includes things like an architectural review, penetration testing, and consulting services which help you clearly identify and prioritise a “get well” security strategy, are almost always far less expensive than a critical breach.

By Jon McGettigan, Fortinet senior director ANZ and South Pacific Islands

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Cisco dominates record-high Ethernet switch & router markets
While the market is flourishing, it’s tough-going as Cisco has increased its majority share of the pie.
SAP provides partners with free access to their cloud platform
“Now that over 3,700 SAP partners have joined our cloud strategy, the free resources will help them accelerate application development."
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Why the future of IT infrastructure is always on and always available
As more organisations embrace digital business, infrastructure and operations leaders will need to evolve their strategies and skills to keep up.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.