Home / Blogs

The Coming Cybersecurity Regulatory Revolution

Protect your privacy:  Get NordVPN  [73% off 2-year plans, 3 extra months]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Cybersecurity regulation will take its place alongside environmental regulation, health and safety regulation and financial regulation as a major federal activity. What is not yet clear is what form the regulations will take. FISMA controls, performance standards, consensus standards and industry-specific consortia standards are all possible regulatory approaches. What is not likely is an extended continuation of the current situation in which federal authorities have only limited, informal oversight of private sector cyberdefenses (or lack thereof).

Early federal steps to formalizing regulation of private sector IT security are already underway with different approaches being taken by different agencies. For example, the Department of Defense is employing a FISMA-based approach in a rulemaking that would require contractors “to implement adequate security measures to safeguard unclassified DoD information….” The proposed rule would mandate that the “information security program shall implement, at a minimum, the specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800—53 security controls…”

A very different approach to private sector cybersecurity has been taken by the Federal Reserve with respect to debit card transactions. The agency’s interim rule for debit card cybersecurity/fruad prevention takes a non-prescriptive approach to regulation. In making their decision the Federal Reserve explained that “[s]pecifying, and limiting the set of, technologies for which issuers recover their costs may weaken the long-term effectiveness of these technologies.” Although the non-prescriptive route offers financial service firms greater flexibility, one downside is that the rule, which is part of a price cap proceeding, effectively limits the resources card issuers are able to spend on security.

The Securities and Exchange Commission (SEC) is taking a reporting-based approach to private sector cybersecurity. The SEC’s new guidance states that “cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant.” Moreover, a publicly traded company “may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context.” Meanwhile, the FBI is taking a very different approach to cybersecurity by calling for a secure, limited access alternative internet to support critical government and corporate functions.

Agencies’ approaches to cybersecurity risk management are being driven by their different statutory responsibilities and authorities rather than reflecting regulatory mechanisms which have been tailored to the needs to different industries. Although a one-size-fits-all federal attitude toward cybersecurity regulation is not necessarily beneficial, neither is an ad hoc modus operandi.

Instead, there is a need for a national dialog to ventilate cyber-regulatory issues, preferably prior to additional regulatory and legislative activities. Stakeholders which would need to be represented in the dialog include agencies with technical expertise, such as NIST, regulatory agencies including the independent ones (FCC, FERC, etc), various industry sectors including small business representatives, state and local governments, civil society, academia, and major trading partners. NIST’s Risk Management Framework could help provide structure to the discussions.

One of the most important issues that needs to be explored is what entities would potentially be subject to regulation. “Critical infrastructure” is a convenient term to describe entities which may be cyber-regulated but not one which has well defined boundaries. For example, development of the Smart Grid could mean that home internet connections may be considered as critical infrastructure and subject to security regulation. Thus, there could be security-related regulation of everything from the design of home appliances to the use of home computers.

The twin issues of liability and accountability also need to thoroughly explored before new cybersceurity regulations are developed. If a regulated company experiences a security breach, who is at fault from a regulatory compliance viewpoint? The company? Their IT vendors? The company that wrote the software program containing a vulnerability that was exploited? The possibilities for liability and blame-shifting are endless. All that’s clear at this point is that everyone from code writers to cloud vendors may be subject to federal cybersecurity regulation.

The possibilities for IT security conformity assessment requirements are also open-ended. Possibilities include Sarbanes-Oxley style independent audits and certification by senior corporate officers as well as numerous alternative mechanisms.

The sooner a broad-based structured dialog begins, the better. An Interactive Public Docket such as FISMA Focus could serve as an inclusive, transparent mechanism facilitating the dialog. Principles which should govern development of cyber-regulation, including cost effectiveness, should be the first discussion topic.

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com