I fought the law
When it comes to how corporations manufacture and sell products, different people have varying views on what role government plays in that process. Some people think too many laws and regulations exist while others believe increased governance is necessary. Whichever side of the belief system you fall on, it's hard to deny that laws and regulations have had an impact on information security.
In the current age of security-conscious mainstream media, it's hard to remember that less than a decade ago security teams' best weapon for obtaining funding for the security program was to rely on compliance mandates. (This is still the case for some organizations, unfortunately.) Security has begun to come out of the shadows as it relates to business priorities, but teams continue to struggle with finding "best practices" upon which to model security and threat programs. Myriad frameworks and guidance exist, and some of those, such as the NIST Cybersecurity Framework, do their best to keep up with organizational needs. However, even that guidance is updated only every few years while technology and innovation whiz forward. Laws and regulations, on the other hand, trail far behind, often putting organizations in a bind when trying to modernize security practices and usage.
Take, for instance, the Computer Fraud and Abuse Act (CFAA), which was enacted in 1986—31 years ago! While the intention was to legally prohibit unauthorized access to computers and networks, which is decisively positive, the written law is somewhat vague in its definitions of "access" and "authorization," and has left much room for interpretation. Password sharing, for instance, could be considered illegal and punishable by law. How many system admins would you lose to jail if someone decided to probe your network?
All kidding aside, and most importantly, the CFAA definitively has not done a thing to slow cybercrime, even after several subsequent attempts to modernize the law. Cybercrimes happen in greater numbers and with more frequency than ever, and yet some security researchers are hesitant to undertake or disclose certain important research based on a 30+ year-old law that isn't sufficient for today's technology landscape. Says Summer Fowler, technical director of the Cybersecurity Risk & Resilience Directorate in the CERT program at Carnegie Mellon, "the most recent amendment to the CFAA was passed in 2008. Think how different the world was in 2008 – the iPad was released over two years after the last amendment!"
A similarly outdated law, the Digital Millennium Copyright Act, published in 1998, remains in effect today. Like the CFAA, the broad-based definitions of what constitutes a crime per the DMCA are not sufficient for today's technology usage, let alone the type of information security research required to keep organizations and consumers secure. It's important to note that the DMCA makes some exceptions that affect security practitioners' work—exceptions for encryption research, personal privacy, and security testing—however, many security practitioners feel the lines are too grey to exist in a world of Internet of things (IoT) devices and smartphones with PII-gobbling features.
Making matters worse, a few notable hardware and software companies have leaned heavily on the DMCA and threatened lawsuits against white hat hackers (in some cases, even when the hackers had been invited to conduct security research). Further, one hacker was publicly arrested after presenting his exploit findings at DEF CON 2001. These instances temper some of the good work that could be done if laws and regulations were updated to reflect today's cybersecurity reality.
So why haven't they been? According to Fowler, it's the pace of technology change. Technology and innovation are speedy while laws are slow and methodical. In technology, it's not uncommon to see iterative versions of a product year upon year, while laws are lucky to be updated once every decade or so. In addition, she adds, "Governance, policy, and laws fall under the 'process' category," only one-third of the "people, process, and technology" triad. Focusing singularly on how technology is used is a major shortcoming of current laws, as people and technology obviously impact what can be secured and what can be compromised. Security has become an entire ecosystem over the past few years, meaning that organizations can't "section off" parts of the business that do not have any information security implications. How many businesses run without any digital aspects whatsoever? Right.
Over the years, organizations have come to recognize that "assets" (in a security sense) in a corporate setting aren't relegated to technology use alone. Says Fowler, "'assets' include people, process, technology, facilities, and materials or supply chain goods and services." These are often overlooked, though, when lawmakers are writing laws, likely because lawmakers have just recently started working alongside the private sector information security community to truly understand the scope of the industry's problems/issues/concerns. So much of the focus in the past, laments Fowler, is that laws (and to a certain extent, security practitioners) have focused on procuring technology and the use of out-of-the-box technology, but not on real-life situations or use cases.
The recent decision by the FCC to roll back internet privacy regulation is one example of how difficult it is to enact new security and/or privacy regulation. Some of these topics are akin to religious wars, depending on one's stance, but to put it into nonsectarian terms, activities like threat intelligence, customer data storage, and data sharing with third-parties all have information security implications: The more data your organization collects and stores, the higher the probability that it will be breached by an unauthorized party. The more data sharing your company participates in, the greater the likelihood that your customers' data will fall into the hands of a partner company with less effective data security. In the case of the privacy regulation, lawmakers voted in favor of allowing companies to monetize data rather than securing it.
This is why outdated laws are governing current technology usage. Security has not yet become significantly influential to impact major business decisions. Slow progress is being made on some fronts, but security needs to make its voice heard loud enough that policymakers both understand and care about security as a top-line item. If the industry wants to make change, the change must come from within—very few people are going to understand the negative consequences of twenty- and thirty-year-old laws as do practitioners in the field.