After three decades of widespread development in digital technologies and telecommunications, it has become evident that cybersecurity cannot be adequately ensured by the market’s “invisible hand.” Cybersecurity market failures call for state intervention to advance the public interest and mitigate cybersecurity risks. These failures include underinvestment by companies in cybersecurity due to partial externalization of data breach costs, lack of efficient information-sharing due to anti-trust laws, and the absence of product liability for software and hardware solutions. In contrast to the engaged role states play in advancing the public interest vis-à-vis other high-risk domains such as food safety, transportation, health services, and financial operations, states are yet to engage in systematic private-sector cybersecurity risk regulation.
The creation of regulatory regimes to enhance cybersecurity entails the establishment of norms, rules, monitoring procedures, and enforcement practices for minimizing harm to the public. The vulnerability of digital technologies creates risks to critical infrastructures, business continuity, intellectual property, trade secrets, and consumer privacy. Cybertechnologies are used across all sectors and for an increasing number of purposes, even though their security cannot be completely assured. Despite this, we still lack the ability to completely understand and prevent software and hardware from failing. This inability to measure cybersecurity makes regulatory intervention a significant challenge and pushes regulators to avoid the traditional command and control methods of state regulation. Such an issue is exacerbated by the rapid pace and associated uncertainty of technology development, as well as the involvement of a vast number of stakeholders from the government, private, and scientific communities.
A comparative analysis of cybersecurity regulations across the United States, European Union, United Kingdom (UK), France, Germany, and Israel reveals a variety of risk approaches, levels of investment, degrees of institutionalization, and positions on the influence of intelligence bodies. Still, a common theme emerges: the lack of systematic effort by those states to address cybersecurity in the private sector. Many states have rapidly increased their cybersecurity budgets in recent years and have expanded efforts to build capacities in the realms of information sharing, cybersecurity standardization, and risk management plans. However, no state currently provides systematic guidance to the private sector as a whole to ensure national security in the face of private-sector cybersecurity breaches.
The EU has recently sought to expand its oversight of the private-sector through its new Network and Information Security (NIS) Directive, which imposes strict and unprecedented requirements on cloud service providers and online search engines. In contrast to the EU, the United States applies government intervention on selective actors within the private sector – such as companies that process health or financial records – but does not regulate the private-sector as a whole. France and the UK work with a selective set of private-sector actors as well, while Germany attempts to increase the influence of the state over the private sector only in the case of critical infrastructures. For such infrastructures, minimum standards of protection – based on global frameworks, such as the ISO framework – are required across the supply chain of service providers. In the absence of systematic approaches to the mapping and mitigation of cybersecurity risks, this selective state approach over cybersecurity in the private-sector constrains the ability of each state to ensure its national security.
Beyond mandatory state regulations, there is also variance in the types of incentives offered to advance cybersecurity in the private sector. In the United States, such incentives mainly consist of liability waivers for actors within the private-sector that share information regarding cyber threats with the government. The EU is currently developing its own certification regime to designate products as ‘cyber-secure’ in ways that will be equally recognized across member states, decrease the fragmentation of the market, and motivate product manufacturers to certify their products to increase potential sales. The UK obligates government contractors to apply certain security controls and France offers a voluntary labeling scheme for cybersecurity products to set a high cybersecurity bar for product manufacturers who compete in providing services in the country. Germany offers a similar security evaluation for products and also invests in forms of public-private cooperation that include periodical round tables with key cybersecurity stakeholders and free access for the private-sector to government information on cyber threats.
The Israeli case suggests some unique regulatory characteristics. The nation benefits from close and trustful relationships between public and private entities and its regulatory strategy has recently shifted to a centralized and consolidated approach under the newly established National Cyber Directorate. Until 2015, different regulators, consisting of either governmental departments or dedicated authorities, were responsible for the formulation of state guidance for cybersecurity within their jurisdictions. Recently, however, the National Cyber Directorate made several attempts to consolidate cybersecurity regulations under one sovereign authority to ensure proper implementation of cybersecurity guidelines. For example, the Directorate has placed its own personnel across eighteen governmental departments. Still, despite recent attempts to categorize firms in the market and set their required cybersecurity levels, there exists no systematic process to detect and measure in advance the potential damage caused to national security by a private-sector cybersecurity breach.
For each of the states mentioned above, the lack of consistent government regulation within the private sector is especially alarming since the private-sector is the most dominant sector in cyberspace. Even though private companies are the types of firms most vulnerable to cyberattacks, such companies continue to set their own cybersecurity standards according to operational and economic constraints, even if their negligence exposes the public to risks. Anti-trust laws fuel the inherent failures of the cybersecurity market by preventing companies from freely sharing information regarding cyber threats across the entire eco-system and from improving risk assessment. State governments must act to address such deficiencies as they build their regulatory regimes for private sector cybersecurity. Just as companies have come to face repercussions for the negative impact of their operations on the environment, they should assume liability in relation to cybersecurity breaches with the potential to cause damage at the national level. Nonetheless, state intervention should adopt a ‘smart regulation’ approach and rely on a mixture of regulatory tools that embrace incentive-based approaches of certification, liability shifting, and risk spreading (insurance) to govern a rapidly developing domain.
As decision-making processes and critical infrastructures gradually become digital, every potential regulatory model for cybersecurity must advance the public interest in cyberspace, regardless of any conflict of interest. Ensuring information security, business continuity, national security, trade secrets, and individual privacy across the entire spectrum of digital society is critical for future human prosperity.
Dr. Colonel (Res.) Gabi Siboni is the director of the Cyber Security Program at the Institute for National Security Studies (INSS), Tel Aviv University, and the CEO of G. Bina Ltd. a cybersecurity consulting firm.
Ido Sivan-Sevilla is a research fellow in the Cyber Security Program at the Institute for National Security Studies (INSS). He writes his PhD thesis on regulating emerging cybersecurity and privacy risks at the Hebrew University of Jerusalem.
The authors of this article are working to publish a comprehensive study by the Institute for National Security Studies (INSS) on cybersecurity regulation of the private sector. The upcoming book overviews cybersecurity strategies in key western countries, adopts regulatory strategies from parallel domains, and builds a multi-layered regulatory model for cybersecurity in the private sector. While the model addresses Israeli cyberspace, it provides applicable strategies for other countries as well. The suggested framework uses several tools for oversight and is based on self-regulation by private sector entities, as well as mandatory and incentive-based regulations by the state.