Building cyber security into the development of regulation

A current challenge in the practice of cyber security is how to understand threat and vulnerability at a time of state on state conflict

Events in Ukraine prompt national technical authorities in the US, Europe and the Anglosphere to warn of threats to Critical National Infrastructure.  Enterprises are enjoined to raise their protections against known vulnerabilities, most of them exploited by criminals, but also to prepare for the novel. To look for anomalies.  To spot state actors. 

We sometimes get a glimpse of the close combat underway in cyberspace.  In April the US announced that it had acted to pre-empt actors who planned to use a botnet chain ‘Cyclops Blink” to mount attacks with command and control from routers and firewalls.  Occasionally in my cyber practice supporting companies through crises, a state actor appears.  Sometimes, rarely, a “zero day” exploit is used to get in (perhaps where a commercial exploit won’t succeed?)   Data selection and exfiltration for intelligence purposes or prepositioning for an undefined future purpose then follows.  What isn’t seen is the destructive “quasi-kinetic” attacks or those which disrupt whole systems from the armouries of advanced state offensive cyber programmes.  Those are in reserve.  Their use or even malware presence would probably be an intervention or act of war and would cross a so far threshold respected.

Most cyber security practitioners do not have sight of those novel OC techniques for intrusion or disruption.  They rely on state authorities to advise them – to complement the “lag” indication of commercially known threats and vulnerabilities with unique “lead” insight which comes from state level intelligence coverage.  Insight also comes from having an OC programme.  The Cyber and Infrastructure Security Agency in the US and the National Cyber Security Centre in the UK would be worth listening to simply for their aggregation of threats.  A less understood “secret sauce” is the insight from their access to their own attack teams.  It helps them make sense of what is possible and what is vulnerable even if the full details cannot be made public. 

What do legislators and regulators do in the face of these uncertainties as they try to design enduring and technology agnostic laws and compliance regimes.  There is a contrast between those who have the benefit of true national security advice and those who don’t: or at least a difference of mindset.  In a recent piece for the European Union Institute of Strategic Studies I questioned whether the EU is organised to take properly constituted decisions on cyber security and privacy.  I argued that because it had no effective formal mechanism to gather the national security insight of its most cyber capable member states it risked regulating without proper consideration.  My worked example was the Digital Markets Act and whether the risks from disrupting App stores for competition reasons had been given proper security consideration. This was in the early days of the Ukraine crisis when the EU Commission was talking about creating a “ring of resilience” around the EU. That aspiration looks like a stretch.

Two recent contrasting developments have brought these issues back into focus.

First it is reported that as the EU works towards bringing the DMA into force this October two member states have proposed that representatives of the EU cyber security advisory body, ENISA, be included on a proposed European High-Level Group of Digital Regulators to facilitate coordination between member states and the EU on enforcement decisions.  Three points stand out: (I) Existing implementation plans don’t have a security component.  (II) This step is proposed but not agreed and (III) ENISA is the chosen body even though it lacks trusted access to the national security OC insight which makes CISA and NCSC so potent.  

Second that meanwhile the UK’s Department for Digital Culture Media and Sport  (DCMS), faced by the likely change which the DMA will bring about to the distribution of Apps, is consulting on a code of conduct and then possibly regulation to “protect consumers from malicious and poorly developed apps”.   The duty is likely to fall on the App developers and the responsible App store.  It is hard to say whether there is national security insight behind this or it is motivated solely by consumer protection.  Certainly there are examples where apps have been a vector for state actions such as intercept or surveillance.

These are both cross slices of ongoing legislative processes.  The EU may yet get to the right place.  More digital legislation is coming in the EU, UK and elsewhere.  This needs to be informed by cyber security and data privacy realities and, for every piece of regulation, the question asked “how does this improve our cyber resilience in these uncertain times?”.  That question is not being asked clearly enough now.

About the Author

Paddy McGuinness of Venari Security is a former UK Deputy National Security Adviser for Intelligence, Security and Resilience and Cyber Programmes lead.  He now advises businesses and governments globally on technology resilience issues including cyber crises.

Featured image: ©Peshkova