The Need for Cybersecurity Regulations
The world is observing a boom in the use of technology, as well as the interconnected nature of networks. This increases the threats and vulnerabilities related to this domain. The need of the hour, therefore, is a stringent public policy that incorporates cybersecurity legislation.
Why We Need Cybersecurity Regulations
A robust cybersecurity policy is essential to monitor and address critical risks. These include data breaches, phishing, malware attacks, and so on that could impact a nation.
While existing cybersecurity policy does include mandates for fields like healthcare, finance and federal agencies, many industries do not have applicable public policy. In addition, even industries that have predefined regulations find it challenging to enforce and comply with these legislative measures.
Dangers Posed By The Lack of Cybersecurity Regulations
One example of the dangers of lack of guidance is the DarkSide attack on Colonial Pipeline. The CEO of Colonial Pipeline testified in a hearing before the Senate Homeland Security and Governmental Affairs Committee, revealing that there was no guidance in place to deal with a potential ransomware attack before the attack in May 2021.
The organization had to pay DarkSide $4.4 million in cryptocurrency to decrypt its files and undo the lock. This attack caused a massive fluctuation in gas prices on the East Coast. With Colonial Pipeline responsible for about 45% of gas, jet and petroleum products on the East Coast, such an attack has massive repercussions.
This calls out the need for strict legislation and public policy to determine the measures taken to enhance cybersecurity. Companies, irrespective of size, should make sure that this is done, and it would be easier to implement if there was some form of compliance check.
Existing Cybersecurity Laws and Enforcement
At present, cybersecurity is addressed through specific initiatives targeting sectors. The Federal Trade Commission is responsible for the prohibition on unfair and deceptive practices and enforces minimum security requirements for user data protection.
However, in a 2018 hearing, a federal court pointed out that while the FTC maintains a general set of guidelines, it only asks that the company maintain a ‘comprehensive information security program. The program must be reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.’
This does not help to actually identify any specific unfair acts or practices. This raises many questions about FTC’s data security consent orders, calling for a shift in any future data security actions.
Why There is More to be Done
Existing sector-specific laws leave a lot of loopholes. Maintaining minimum security is not enough anymore, and companies need to be prepared for attacks and should have mitigation and risk management practices in place. It is the responsibility of a government to protect its people and their data. Such a responsibility requires the enforcement of laws.
Such attacks must be assessed and dealt with appropriately. They are bound to happen, irrespective of best practices. That is why there needs to be more initiative to introduce effective laws in legislation and public policy.