Globally, cybersecurity regulations are poised to reach new heights, fueled by the growing threat of malicious cyberattacks from rogue hackers and state actors.
There are many arguments for and against a stringent cybersecurity regulatory environment. As governments seek to strengthen cybersecurity measures, it’s essential to consider the potential consequences of over-regulation. An enhanced regulatory environment, accompanied by industry oversight and enforcement, can have unintended negative consequences, while lenient industry regulations can pose unique and problematic challenges.
Driven by the need to secure individuals, governments, enterprises, and critical infrastructure dependent on digital assets, over-regulation in the cybersecurity industry could become a barrier to growth, a financial burden for companies already struggling with tough market realities, and a competitive edge for threat actors.
GDPR: A Case Study in Problematic Legislation
Enhanced regulatory oversight can help protect individuals and organizations from cyber threats. However, over-regulation can have negative unintended consequences.
A notable example of problematic regulatory oversight in the cybersecurity industry is the release of the European Union’s General Data Protection Regulation (GDPR). While the GDPR is a cybersecurity regulation intended to protect individuals’ privacy rights, it has also created challenges for businesses, particularly those operating across borders.
Some of the challenges created by the GDPR are:
- Compliance Costs: The GDPR imposes significant compliance costs on businesses, particularly smaller ones. These costs include hiring data protection officers, conducting data protection impact assessments, and implementing technical and organizational measures to ensure compliance.
- Complex and Evolving Regulations: The GDPR is a complex piece of legislation, and its requirements are constantly evolving. This makes it difficult for businesses to keep up with the latest cybersecurity regulations and ensure compliance.
- Conflicting Regulations: The GDPR may conflict with other data protection laws that businesses are subject to, such as those in the United States. This can create confusion and make it difficult for global enterprise to comply with local data and privacy laws.
- Data Transfer Restrictions: The GDPR imposes restrictions on the transfer of personal data outside the EU. This can make it difficult for businesses to share data with their global partners and customers.
While the GDPR is well-intentioned legislation aiming to protect individuals’ privacy rights, its implementation has been marred by complexity, ambiguity, and conflicting regulations. Businesses struggle to comply with its requirements, highlighting the need for careful consideration before enacting regulations in the complex cybersecurity industry.
Three Negative Consequences of Over-Regulation
- Hindered Innovation: When cybersecurity regulations are excessive, the rules can become confusing and innovation can be stifled. Compliance can become an overwhelming burden for companies navigating the complexities of daily operations and product rollouts. This can become a barrier to growth, or to even entering the cybersecurity arena at all. According to the Forbes Technology Council, due to a critical shortage of experienced cybersecurity professionals, the expertise needed to become compliant may not even be available (Rend, 2023).
- Financial Burden: Managing compliance with excessive cybersecurity regulations can be costly due to the increased need for legal advice and employee training. This can disproportionately affect startups and small businesses already struggling to compete. For larger corporations, an entire department based on compliance may need to be formed. Ultimately, regulators imposing rigorous standards, while admirable in their intentions, can potentially create an industry where compliance is often unattainable.
- Competitive Disadvantage: Over-regulated industries can become like lumbering giants, slow-moving and rigid. The big picture can become lost as companies shift priorities, becoming overly focused on compliance at the expense of fulfilling the objective of cybersecurity through innovation and adaptation. As a result, the industry becomes less agile and responsive to emerging threats. Meanwhile, threat actors have no such restrictions, making it difficult for security specialists to compete.
The Wassenaar Arrangement: A Cautionary Tale
Another example of regulatory oversight of the cybersecurity industry gone awry is Wassenaar Arrangement, a framework regulating the export of dual-use goods and technologies, including cybersecurity tools.
In 2013, the Wassenaar Arrangement was updated to include new controls on the export of “intrusion software” and “Internet Protocol (IP) network surveillance systems.” Regulators intended to prevent the export of these technologies to countries with poor human rights records, where they could be used to suppress dissent.
However, the cybersecurity industry widely criticized the updated regulations, which were seen as overly broad and vague. Many cybersecurity researchers and companies argued that these regulations would hinder their ability to share information and collaborate on security research, as they would be required to obtain licenses to export even basic security tools and techniques.
The regulations also seemed to imply that even benign security research could be considered “intrusion software” and therefore subject to export controls. This led to fears that cybersecurity regulations would stifle innovation and hinder the development of new security technologies.
Thankfully, the controversy surrounding the Wassenaar Arrangement led to a re-evaluation of cybersecurity regulations, and in 2017 participating countries agreed to revise the controls to reflect the needs of the cybersecurity industry.
Compliance Fatigue Syndrome
Heavy regulatory oversight of the cybersecurity industry has sometimes created an atmosphere of compliance fatigue for private-sector companies and critical service providers.
National Defense Magazine (Borys, 2017) cites Compliance Fatigue Syndrome as, “A state of chronic fatigue induced by having to constantly maintain compliance with the ever-increasing variety of rules, regulations and processes created by middle management bureaucrats in both public and private organizations”.
The Other Side of the Coin: Lax Regulations
While over-regulation can be detrimental, permissive or absent cybersecurity regulations could encourage lawlessness in an industry already weaponized for industrial and state security purposes and lead to catastrophic data security failures.
Consider the 2017 Equifax data breach that exposed the sensitive personal data of over 147 million people. Equifax failed for months to patch a known vulnerability in its software, which allowed hackers to gain access to the company’s systems. At the time, there were no federal regulations in the US requiring companies like Equifax to implement robust cybersecurity measures or to notify consumers in the event of a data breach.
Thankfully, all is not lost; lawmakers and regulatory bodies can strike a balance that allows the cybersecurity industry to fulfill its important mandate of protecting individuals, organizations, and states, while still maintaining accountability.
Finding a Balance
Ultimately, the key to effective cybersecurity regulation lies in striking a balance between oversight and innovation. Lax regulations can be problematic, while undue industry interference by regulators can create compliance fatigue, stifle innovation and competition, and create unnecessary financial challenges for companies. In a worst-case scenario, it could hinder the ability of the cybersecurity industry to perform its job of defending against cyberattacks.
Policy-makers charged with oversight must strike a legislative balance by creating a regulatory framework that fosters innovation and accountability while supporting the cybersecurity industry to protect state, enterprise, and consumer interests.
Risk management is an important aspect of regulatory compliance. Visit our RISK MANAGEMENT topic page to learn more!
References
Rend, J. (2023, March 1). Why overcoming the cybersecurity labor shortage matters to company success. Forbes Technology Council. https://www.forbes.com/sites/forbestechcouncil/2023/03/01/why-overcoming-the-cybersecurity-labor-shortage-matters-to-company-success/?sh=50f3d5837766
Borys, C. M. (2017, November 28). Compliance Fatigue Syndrome is Real. National Defense Magazine. https://www.nationaldefensemagazine.org/articles/2017/11/28/compliance-fatigue-syndrome-is-real
