1. Cybersecurity Regulation Will Be
Challenging
Summary
Due to the volatility, force and pace with which technological innovation is moving through the
global economy, cyber risk has become the biggest contemporary threat to all actors, especially
private enterprise.
Taking a regulatory perspective must be a key part of any overall successful strategy. However,
as regulations are growing increasingly complex, doing the minimum in compliance is not
enough anymore. It is evident, more and more, governments and customers will view a
provider’s security posture less from a compliance perspective and more as a competitive
differentiator. A provider of products and services will have to consider compliance simply as
the ante to earn the right to compete in the marketplace.
Drivers for regulations are most abundant in Financial Services; Healthcare;
Telecommunications; Critical Infrastructure and Government systems.
Despite high profile breaches — from Target to Yahoo — legislation to toughen data protection
standards hasn't gained traction, but it's not for lack of an effort.
A search for "cyber security" yields 141 pieces of legislation — including bills and amendments
— that have gone before the 115th Congress with those words in the title or body and cover a
variety of areas.
Given the current focus of the Administration to “deregulate” and a partisan Congress, it is less
likely that sweeping national new regulation will be realized over the next two years. This means
that the States (like what we are seeing from California, Maryland and New York) will be
driving a great deal of the regulatory changes. It is more than fair to say that regulation alone
does not make any system more secure. Coming to terms on consistent metrics will be key. One
cannot manage what one cannot measure.

2. The Challenge in Cybersecurity Regulation
Cybersecurity is a fast-morphing mix of adapting new behaviors in people to new ways of doing
things and with even newer technologies. This means that making any assumptions about what
regulations will be needed six days; six weeks; and six months from now is more than
problematic. Most legislation is initiated well after the fact and driven by a wave of litigation and
special interest lobbying. Meaningful cyber warfare requires a more expeditious approach.
To regulate something, you must know all the players; the expected and desired actions of each
of the players and the mutually agreed upon desired outcome. To leverage the sports metaphor,
we know the right number of players in the game; their positions relative to one another and
what it means to score a point.
In the cyber world, we can’t know all the players; we cannot predict “how” they will arrive to
play; whether they come to “score points” or to simply disrupt the game; and the rules, as
outlined, are merely guideposts for what to avoid. And, currently, only one team plays offense
and the other defense, throughout the competition. This game never ends.
In order for citizens, governments, and industries to be able to begin to effectively regulate
cybersecurity, we must find a common definition of terms; a comprehensive series of meaningful
metrics; a consensus on approach; a consistent application across geographies; a constructive
incentive scheme and a crushing global deterrent.
The current internet infrastructure and regulatory frameworks are poorly tailored to keep pace
with the evolution of the internet and the digital realm in general. A very significant number of
NIST publications are in the process of being revised, rewritten and/or retired based on the
introduction of new technologies and the obsolescence of others…and most of these publications
were mostly written since in this millennia. NIST Special Publication 800-53 Rev. 1 was
published in 2008.
Therefore, a majority severely lag behind present technology and threat level awareness. This is
because the internet infrastructure was not designed to cope with present data quantities and the
myriad of actors challenging the very scope and content of it.
Cyber security legislation and compliance – if come into force – is ever-shifting. Consequently,
it is crucially important that companies anticipate tomorrow‘s regulatory environment. In
particular, when they are active in multiple jurisdictions, it is fundamental to systematically track
evolving laws and regulations in order to be able to respond to legal and political challenges on
time.
To Anticipate What Will Need Regulating
Regulations become dated the moment they are placed into effect. Trying to anticipate where
regulation will be needed can be driven by what trends in technologies we can forecast.

3. These trends bring together technologies with the potential to initiate lasting transformation in
the digital ecosystem, which we define as all of the infrastructure, software applications, content,
and the social practices that determine how the ecosystem is used. The largest trends are as
follows:
1. Cloud computing
2. Big data
3. The Internet of things
4. Mobile Internet
5. Brain-computer interfaces
6. Near-field communication (NFC) payments
7. Mobile robots
8. Quantum computing
9. Internet militarization/weaponization
10. Blockchain and open journaling technologies
11. Crypto Currencies
A Consensus on Predictions that will Impact Cybersecurity
1. While Governments and Private Enterprise Slowly invest In Artificial Intelligence to
support Cyber security, Attackers will aggressively invest in AI to aid in their attacks.
2. Growing 5G Deployment will open up a new dimension in cyber-attack surfaces
A number of 5G network infrastructure deployments kicked off this year, and 2019 is shaping up
to be a year of accelerating 5G activity. While it will take time for 5G networks and 5G-capable
phones and other devices to become broadly deployed, growth will occur rapidly. IDG, for
example, calls 2019 “a seminal year” on the 5G front, and predicts that the market for 5G and
5G-related network infrastructure will grow from approximately $528 million in 2018 to $26
billion in 2022, exhibiting a compound annual growth rate of 118 percent.
Over time, more 5G IoT devices will connect directly to the 5G network rather than via a Wi-Fi
router. This trend will make those devices more vulnerable to direct attack. For home users, it
will also make it more difficult to monitor all IoT devices since they bypass a central router.
More broadly, the ability to back-up or transmit massive volumes of data easily to cloud-based
storage will give attackers rich new targets to breach.
3. IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous
Forms of Attack
4. Attackers will increasingly Capture Data in Transit
In 2019 and beyond, we can expect increasing attempts to gain access to home routers and other
IoT hubs to capture some of the data passing through them. Malware inserted into such a router
could, for example, steal banking credentials, capture credit card numbers, or display spoofed,
malicious web pages to the user to compromise confidential information.

4. 5. The Supply Chain will Become (more than it already has) an Attack Target
An increasingly common target of attackers is the software supply chain, with attackers
implanting malware into otherwise legitimate software packages at its usual distribution
location. Such attacks could occur during production at the software vendor or at a third-party
supplier. The typical attack scenario involves the attacker replacing a legitimate software update
with a malicious version in order to distribute it quickly and surreptitiously to intended targets.
Any user receiving the software update will automatically have their computer infected, giving
the attacker a foothold in their environment.
These types of attacks are increasing in volume and sophistication and we could see attempts to
infect the hardware supply chain in the future. For example, an attacker could compromise or
alter a chip or add source code to the firmware of the UEFI/BIOS before such components are
shipped out to millions of computers. Such threats would be very difficult to remove, likely
persisting even after an impacted computer is rebooted or the hard disk is reformatted.
6. Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory
Activity
The European Union’s mid-2018 implementation of the General Data Protection Regulation
(GDPR) will likely prove to be just a precursor to various security and privacy initiatives in
countries outside the European Union. Canada has already enforced GDPR-like legislation, and
Brazil recently passed new privacy legislation similar to GDPR, due to enter into force in 2020.
Singapore and India are consulting to adopt breach notification regimes, while Australia has
already adopted different notification timelines compared to GDPR. Multiple other countries
across the globe have adequacy or are negotiating GDPR adequacy. In the U.S., soon after
GDPR arrived, California passed a privacy law considered to be the toughest in the United States
to date. We anticipate the full impact of GDPR to become clearer across the globe during the
coming year.
At the U.S. federal level, Congress is already wading deeper into security and privacy waters.
Such legislation is likely to gain more traction and may materialize in the coming year.
Inevitably, there will be a continued and increased focus on election system security as the U.S.
2020 presidential campaign gets underway.
While we’re almost certain to see upticks in legislative and regulatory actions to address security
and privacy needs, there is a potential for some requirements to prove more counterproductive
than helpful. For example, overly broad regulations might prohibit security companies from
sharing even generic information in their efforts to identify and counter attacks. If poorly
conceived, security and privacy regulations could create new vulnerabilities even as they close
others.
CONCLUSION
There are cries to regulate the disruptive tech giants to include Google, Amazon, Twitter and
Facebook. Not only are their business models being scrutinized but the pervasiveness of their

5. emerging connected environments (auto driving vehicles; artificial intelligence; Internet of
Things; telecommunications and more!) challenges the idea of effective self-regulation.
Not to make a political statement but, in this next two years under an administration bent on
Deregulation (as we have seen with many consumer protection laws; environmental and financial
services regulation) and with partisan divisions, we are less likely to see any major sweeping
national regulations get through Congress. This will mean that the individual States (as we are
seeing with California, New York and Maryland) will drive more regulating strategies.
Final thoughts
Perhaps redundantly, it has to be stressed that cybersecurity should not and cannot be driven by
regulation. Regulatory relief comes too late. The drivers of innovation and inventiveness come
from business drivers and the strong desire to “be first!” in a competitive society.