Cyber Regulations: Tailoring Compliance for Different Sectors

The Biden administration’s new National Cybersecurity Strategy aims to prevent cyber incidents from disrupting operations and avoid cascading impacts on the U.S. economy and national security. The strategy proposes two regulations: one from the U.S. Department of Defense, which provides regulated entities with flexibility to implement broad security principles, and another from a now-superseded regulation for pipeline operators, which is specific and risk-based.

The first regulation provides regulated entities with significant flexibility to implement broad security principles, but it lacks guidance on how serious a flaw needs to be to require fixing and how long it is “timely.” The second regulation, from a now-superseded U.S. regulation for pipeline operators, is risk-based, but may not be suitable for all entities due to its focus on patching the most severe vulnerabilities.

The new U.S. National Cybersecurity Strategy puts these issues at the center of the cybersecurity debate by pushing for new regulations that are performance-based, agile, tailored for each critical-infrastructure sector, and harmonized to reduce duplication. However, there is little research to guide policymakers in answering these questions. Jim Dempsey’s influential Lawfare article set an initial path for such research, and the second regulation on patching is by far the more performance-based regulation. Critics argue that this tightly prescriptive rule is not what the White House wanted to encourage, as it was one of the most performance-based cyber regulations ever. Instead, they want more management- or principles-based regulations.

Cyber regulations are divided into two types: ends-based and means-based. Ends are broadly command and control regulations, requiring the government to specify what regulated entities should seek or avoid rather than relying on tax incentives or self-regulation. Means regulate for some proxy for regulators’ actual goals by mandating or forbidding particular behaviors, processes, or technologies. Micro-level regulations require either the adoption of specific means or the attainment of concrete outcomes, while macro-level regulations include only the most general requirements.

Performance-based regulations are micro-ends, also known as outcome-based regulations, which mandate, avoid, or achieve specific outcomes that are the ultimate concern for the regulator. Recovery-time objectives, such as the two-hour limit for systemically important clearing and settling firms, are performance-based, as regulators want a specific result (recovery and resumption of clearing and settling) in a specific time frame (two hours). The National Cybersecurity Strategy encourages this model, as it specifies a regulator’s desired outcomes. However, performance-based regulations are often an unsuitable or unavailable choice for cybersecurity due to its immense difficulty to measure due to technology’s rapid pace, creative adversaries, and the need for flexibility.

Performance-based regulations may reduce flexibility, as strict deadlines can undermine security by tying up resources that could be used to address more severe risks. For example, giving pipeline operators just 15 days to patch critical vulnerabilities is measurable but far too specific, and patching at scale is complex and only a small fraction of vulnerabilities are ever exploited.

Performance-based regulations like recovery-time objectives are most appropriate for sectors that are broadly homogeneous, similar and stable over time. They may be more suitable for the pipeline sector, where companies are relatively similar and stable, than for fast-changing and diverse sectors such as fintech. In summary, performance-based regulations are most suitable for mostly homogeneous, stable sectors and entities.

Management-based regulations are macro-means, requiring general planning and management practices. They are useful when outcomes cannot be measured but regulators want to reduce specific risks. This is particularly relevant in cybersecurity contexts where processes can help. Examples of such regulations include pipeline regulations that require technical or procedural controls for cyber intrusion monitoring and detection, and the Cyber Risk Profile for the finance sector that requires tools and processes to ensure timely detection, alert, and activation of the incident response program.

Management-based regulations are worth considering when governments face hard-to-assess risks generated by diverse firms, as technology is constantly changing. For cybersecurity, they may be a better fit than performance-based regulations due to the constant changes in technology. Principles-based regulations are macro-ends, aiming to give regulated entities flexibility in achieving desired objectives. They promote a more flexible regulatory approach, enhance responsiveness to market innovation, discourage loophole behavior and checklist-style approaches to compliance, encourage direct involvement of senior management, lower compliance costs, encourage innovation, and promote comparability and convergence among international regulators. Management-based regulations are more general and effective than performance-based ones, particularly in cybersecurity contexts where outcomes cannot be measured but some processes can help reduce specific risks.

Principles-based and management-based regulations are particularly relevant for harmonization, as they are more general and each regulated entity is responsible for meeting the goals as they think best. Principles-based regulations are particularly good for sectors like finance, which are more likely to have mature teams that can translate the broad regulatory outcome into entity-specific behaviors and measure compliance. However, principles-based regulation requires a robust system of external oversight and post-hoc enforcement of the rules, such as the extensive structure built for the finance sector.

Rule-based regulations, such as performance-based regulation in the National Cybersecurity Strategy, can provide greater clarity to regulators and defend against private litigation. Prescriptive rules, unlike principles, can provide more effective defense against private litigation. For instance, clearing and settling firms may find a government-mandated recovery-time objective clearer than the Cyber Risk Profile or the Canadian financial regulator’s requirement.

Critic information security officers (CISOs) may not want specific cyber regulations, but they do give more objective measures of success to ensure they are not indicted for having insufficient internal controls. A rules-based approach is most effective when regulators are able to adopt rules that can endure, remaining relevant despite changes in business models, customer demands, and technology. Examples of examples include:

  • Disabling executable code applications by default on all information technology and operational technology assets to reduce the risk of malware.
  • Participating in a threat and vulnerability information sharing source(s) that provides information on the threat.
  •  Reporting annually to the Covered Entity’s board of directors or equivalent governing body.
  •  Having an asset inventory of all critical IT systems.
  •  Using administratively separate build environments.

It suggests several suggestions for regulators as they harmonize existing regulations and develop new ones. First, regulators should assess whether rules are micro or macro, and ends or means. Some regulations may be performance-based, while others need to specify processes.

The ONCD should work with sector risk-management agencies, regulators, and chief economists to determine the best type of regulation for their sector, leveraging market failures. A rules-based approach is better for the water and waste-water sector, which is relatively stable, while regulations for the finance sector should be more based on principles. Third, regulators should aim for principles-based regulations that are more amenable than those with more specific rules. Aligning more exact rules can come later with more experience and trust.

The ONCD should begin coordinating a new cyber-regulation strategy, as regulation is the most important, complex, and politically sensitive cyber project ever undertaken by the federal government. This strategy, or less formal road map, would slot underneath the National Cybersecurity Strategy to coordinate the full range of regulatory work, including harmonizing existing regulations, establishing minimum security baselines for critical infrastructure, pushing for software liability, exploring options for regulations for platforms or major service providers, and continuing other important work.

The coordination of a regulatory strategy or road map may be more challenging than the recent strategy on cyber education and workforce, as many independent regulatory agencies cannot be bound by such a document. The right process should reinforce the Forum for Independent and Executive Branch Regulators, led by Federal Communications Commission chair Jessica Rosenworcel.

Cyber RegulationsCyber Regulations: Tailoring Compliance for Different SectorscybersecurityCybersecurity StrategyUnited StatesUS