The Interstate.

For as long as we’ve had progress in any industry, we have accepted the reality that regulators move in and standardize/codify the requirements for players in the field.  This regulation can usher in ideas that can stabilize products or offerings to consumers in most cases. Take for example a building code that you likely take for granted daily: the interstate system. No matter where you are in the United States, you can count on a reliable and connected roadway that limits the types of traffic control devices (i.e. traffic lights), limits sharp curves or grades, and enforces a predictable 70 mph speed limit. These standardizations owe their thanks to the American Association of State Highway and Transportation Officials (AASHTO).These codes were all developed over time to help reduce road fatalities and fine-tune the system to be as friendly to human drivers as possible and are a prime example of how standardization and codifications of rules can help the consumers and even save lives.

‍

Why the Regulations?

It could be argued that all regulations, at their core, have the intent to march everyday people’s lives in a better direction with each regulation taking a step towards a better system for any industry it touches. But what happens when it appears that a regulation pushes an industry a few steps back? If we look at an industry such as cybersecurity, it’s evident that lawmakers have stepped up to the plate to start laying the groundwork for regulations to secure both businesses and consequently customers. Well-known regulations such as HIPPA help keep patient medical information out of the wrong hands, and GLBA keeps important customer financial data from being leaked. They both push companies to improve their cybersecurity posture to benefit the customer and can be seen as critical requirements for any customer that would be participating in either field. When does this become a problem, you might ask?

‍

We Should Think Differently.

Regulations in cybersecurity can start to do more harm than good when they are being pushed as a requirement to do business while not having been evaluated for their merit years after the laws have been published or were written too specifically to allow for adaptations. This results in an organization complying with the word of the law, while simultaneously going against the spirit of the law. Take for example FIPS 140-2; while there is officially a FIPS 140-3 in the making, FIPS140-2 has still very much been the de-facto standard for organizations wishing to do work with the federal government. In a nutshell, it encompasses how data should be encrypted both in transit and at rest and specifies the cryptographic mechanisms to do so using a list of approved algorithms. Instead of approving a whole suite of algorithms, such as allowing any AES-128 or longer key lengths, it also specifies the modes to be used via certification by a third party. This means if your tool can support stronger methods, but they have not been included in this certification list yet, you may be forced to use a less venerable method to remain compliant.

There are situations such as the one described that are scattered throughout cybersecurity regulations that haunt security-minded individuals regularly, which seems to be signaling those regulations in cybersecurity are inherently different than in many other industries due to how quickly the space evolves. Harkening back to the interstate example, road materials do not change as often as cryptographic ciphers get cracked, nor do straight roads become more dangerous as opposed to old methodologies such as password rotation which do become dangerous. While it's important that a minimum baseline of security be required for organizations, it is just as important that the spirit of the law is upheld rather than its written word. Unless lawmakers have time to keep up with the changes to the cybersecurity landscape, enforcing regulations that substantiate themselves on using the best available and modern practices in tandem with prohibiting depreciated ideas or methods may be the more modern and flexible answer to the problem.

‍