Tuesday, November 27, 2012

Effective (Cybersecurity) Regulations - focus on What, not How.

There is many indications that in the USA, President Obama, may promulgate an Executive Order on CyberSecurity. This executive order due to the lack of law maker movement on the same topic. There is a strong feeling that there is a needed to keep digital information and systems 'safe'.

White House moves on cybersecurity

I hope they learn from Healthcare. The focus on Privacy and the use of the Breach Notification system has had measurable effect. Clear requirements of ‘what’ to do, not ‘how’ to do it; with clear and executed ramifications for failure. It is amazing what a little ‘sunlight’ will do.

Largescale Health Data Breaches Declined in 2012 OCR Data Show

Healthcare used HIPAA and HITECH, two regulations that defined the outcome expected. As well as the OCR 'wall of shame' for breach notifications. These are good examples of regulating to the outcome, not the means. This is a general pattern not specific to healthcare or to security. But applicable to all things that can be regulated.

To be effective and to be long standing a law needs to be independent of technology. This is why I point out that the regulation should be about 'what' needs to be done, or what the good outcome should look like. When it is goal oriented a law/regulation can be met by an ever evolving set of technology and policy. Technology that can adjust with time to incorporate new technology and new policy as needed. 

When regulation over-extends and explains 'how' to achieve the solution, we end up with a law that will not be as effective and will not age well. It will not be as effective, as many will try to figure out how to get around the specifics. They have some reason to not agree with the 'how' indicated. This is often simply, Not-Invented-Here. A prescriptive regulation or law will also not be as effective as soon as the landscape changes. As the attackers learn new vulnerabilities  As technology changes. As new use-cases come about, such as mobile applications.

Regulate the 'what to do' or 'what is the result desired'. Don't regulate 'how to do it'.