SHOULD GOVERNMENTS REQUIRE STRONGER CYBERSECURITY FOR COMPANIES?

Rising cyber threats and incidents of cyber-attack across the globe have many calling for federal intervention to protect our digital valuables.

What’s Happening …

In recent news, the United Health Group (UHG) paid a $22 million ransom to the BlackCat ransomware gang for a late February cyber-attack on subsidiary Change Healthcare. The attack, which was eventually traced back to a stolen password, led to widespread service outages across the U.S. healthcare industry, massive ongoing financial loss to medical clinics, and unpaid claims.

The incident that many are calling a national security threat again stirs debate on whether government should mandate stronger cybersecurity and privacy practices for companies.

On Wednesday, UHG CEO Andrew Witty testified before the Senate Finance Committee who raised tough questions about the company’s security practices. Witty admitted that Change Healthcare was still using “legacy” IT systems – systems which were clearly not adequate to protect personal information.

The hackers used stolen credentials and broke into a Change Healthcare server that was not protected by multifactor authentication (MFA). We know that MFA tops the list of requirements for cybersecurity protocols. The Department of Health and Human Services investigation calls out United Health’s failure to comply with the Health Insurance Portability and Accountability Act, or HIPAA, which enforces safeguards for patients’ healthcare data.

Witty also admitted that the attack could have national security implications, saying that he believed members of the armed forces would also be affected. More information will be provided in the next two weeks, he said.

A Call for Tougher Cybersecurity Standards

Senators on Wednesday’s panel seemed to agree that stronger security should be at least partially a government concern.

• Panel chairman Ron Wyden, D-Ore. agreed that the UHG attack was a ‘national security risk’ and compared it to the OPM data breach of 2015.

• “It is Exhibit A,” he said during his opening remarks, “… that tough cybersecurity standards are necessary to protect critical infrastructure — and patients — in this country.”

• Senate Intelligence Committee Chairman, Mark Warner, D-Va. Agreed that “we need those minimum standards” in healthcare. “We were just waiting for a crisis to happen.”

• Senator Tom Tillis, R-N.D. took an even bolder tone as he presented the committee with a copy of the book Hacking for Dummies to illustrate his point that UnitedHealth should have practiced at least basic cybersecurity hygiene.

• “We are making a huge mistake by not having federal rules of the road on data privacy, data breach and how these enterprises have to really work on it,” he said.

Several brought up broader data privacy concerns. With no comprehensive federal data privacy law in the US, debates over how to get one passed have been at a stalemate for years. In April 2024, congress once again presented a bipartisan draft.

Though the UHG incident is not the first to raise concern, the attack on Change Healthcare is a glaring reminder of the importance of cybersecurity. And it has resurfaced heated debate about accountability – not just in the healthcare industry, but in any sector and any business that handles sensitive data.

But just which entities are there to lay down requirements? What are they doing Now?

Organizations have done a lot to urge companies and individuals to better protect our information and identities.

Among efforts to tackle Ransomware, CISA, with the cooperation of the FBI and NSA, recently updated their Stop Ransomware Guide. Definitely worth the read.

The FTC Safeguards Rule requires any company managing sensitive consumer data to put basic security protocols in place. …

In 2020 the White House finally signed the Internet of Things (IOT) Cybersecurity Improvement Act of 2020 into law.

The law requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines related to the security of IoT devices.

The law also requires that the Office of Management and Budget (OMB) issue recommendations based on NIST guidelines for federal agencies. which are required to ensure that all IoT devices within their environments fully comply with these standards and guidelines. …

While this is a great effort, the law is primarily setting forth guidelines and recommendations, rather than mandating steep penalities for non-compliance.

Following is a more detailed list of organizations and their missions:

National Institute of Standards and Technology (NIST)

• Regulations: NIST provides cybersecurity guidelines and standards, most notably in the form of the NIST Cybersecurity Framework (CSF) and the NIST Special Publication 800 series (e.g., SP 800-53, SP 800-171).
• Scope: NIST’s guidelines are widely used in the United States across government agencies and in many industries as a framework for managing and improving cybersecurity risk.

International Organization for Standardization (ISO):

• Regulations: ISO/IEC 27001 and ISO/IEC 27002 are internationally recognized standards for information security management systems (ISMS) and security controls.
• Scope: ISO standards provide a comprehensive framework for establishing, implementing, maintaining, and continually improving an ISMS.

European Union (EU) Data Protection Authorities:

• Regulations: General Data Protection Regulation (GDPR) is one of the most comprehensive data protection regulations globally, establishing strict requirements for the protection of personal data and imposing significant penalties for non-compliance.
• Scope: GDPR applies to all EU member states and any organization processing personal data of EU residents, regardless of where the organization is located.

Federal Trade Commission (FTC) (United States):

• Regulations: The FTC enforces consumer protection laws related to data security and privacy, including the Safeguards Rule and the Children’s Online Privacy Protection Act (COPPA).
• Scope: The FTC investigates and takes enforcement actions against companies that engage in unfair or deceptive practices related to data security and privacy.

Cybersecurity and Infrastructure Security Agency (CISA) (United States):

• Regulations: CISA provides cybersecurity resources, guidance, and best practices to enhance the security and resilience of the nation’s critical infrastructure.
• Scope: CISA collaborates with government and private sector partners to manage cyber and physical risks to critical infrastructure sectors.

Payment Card Industry Security Standards Council (PCI SSC):

• Regulations: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
• Scope: PCI DSS applies to organizations worldwide that handle credit card transactions.

Federal Communications Commission (FCC) (United States):

• Regulations: The FCC regulates telecommunications and internet service providers and may issue regulations related to network security and data privacy.
• Scope: FCC regulations impact telecommunications companies and ISPs operating in the United States.

Internet Engineering Task Force (IETF):

• Regulations: The IETF develops and promotes voluntary Internet standards, including protocols and guidelines related to Internet security.
• Scope: IETF standards are widely adopted across the internet and influence the development of secure communication protocols.

As evidenced by the myriad incidents over the past few years, one cyber-attack can take a serious long-term toll on individuals, companies, and societies. While regulations are in play, most are simply published guidelines. … Many are calling for even greater control over how companies handle our digital valuables. But what are the arguments for greater control?

Arguments for increased government intervention

• Escalating Cyber Threats:

As technology advances, so do the methods used by cybercriminals to breach networks and steal data. Governments should rise to the occasion to impose higher standards on all sectors to ensure companies and individuals are protected against these evolving threats.

• Inadequate Self-Regulation

While some companies implement robust cybersecurity measures on their own, many don’t adopt them because a. cost concerns, b. lack of awareness, or c. the belief that they won’t be targeted. Government intervention will establish uniform standards to ensure all companies, regardless of size or sector, meet cybersecurity resilience.

• Critical Infrastructure

Critical infrastructure (power grids, water supply, transportation networks, etc.) is increasingly tied to the internet, and therefore more vulnerable to attack. A successful attack on critical infrastructure could have catastrophic consequences for public safety and national security. Safeguarding these essential services is crucial to minimize risk.

• Rising Costs

Cyber-attacks are not only becoming more frequent but also more costly, with the average price in the millions. The financial impact of cyber incidents, including remediation costs, legal fees, and loss of revenue, can be staggering for businesses. Moreover, the long-term reputational damage from a breach can be even more costly. By enforcing stricter cybersecurity requirements, governments can help reduce the likelihood and severity of cyberattacks, thereby lowering the overall economic burden on businesses and society.

• Protection of Personal Data

With the increasing digitization of personal information, the protection of sensitive data has become a significant concern for individuals. Government regulations such as the GDPR (General Data Protection Regulation) in the European Union have set a precedent for protecting individuals’ privacy rights and holding companies accountable for data breaches. Strengthening cybersecurity requirements ensures that companies handle personal data responsibly, preserving individuals’ privacy and reducing the risk of identity theft and fraud.

• Global Cybersecurity Leadership

By implementing stringent cybersecurity regulations, governments can position themselves as leaders in cybersecurity on the global stage. This not only enhances their own national security but also strengthens international cooperation in combating cyber threats. A coordinated approach to cybersecurity, driven by robust government requirements, fosters collaboration among nations and promotes a safer digital environment for businesses and individuals worldwide.

• Encouraging Innovation

Contrary to the belief that strict regulations stifle innovation, cybersecurity requirements can actually fuel innovation. Companies are incentivized to develop innovative solutions to meet regulatory standards while also improving their overall security posture. This can foster a culture of innovation within the cybersecurity industry, and leading to important advancements to benefit businesses, consumers, and societies.

Arguments against Government Intervention

• Innovation:

Government regulations can sometimes stifle innovation in cybersecurity. Companies may be less motivated to develop new technologies and solutions if they fear burdensome regulatory requirements.

• Flexibility:

Rapidly evolving cybersecurity threats require equally rapid responses. Government regulations can be slow to adapt, hindering the ability of organizations to respond effectively to emerging threats.

• Cost:

Compliance with government regulations can be expensive for businesses, especially smaller ones. These costs may be passed on to consumers or result in decreased competitiveness for businesses.

• Privacy concerns:

Heavy government involvement in cybersecurity could potentially infringe on individuals’ privacy rights. Measures such as increased surveillance or data collection could be seen as overly invasive.

• International implications:

In a globally interconnected world, government regulations on cybersecurity can become complicated, especially when dealing with multinational companies. Differing regulations across countries can create compliance challenges and may even lead to conflicts between governments.

• Over-reliance on government:

Relying too heavily on government intervention can create a false sense of security. Organizations may become complacent or assume that the government will handle all cybersecurity issues.

• Ineffectiveness:

Some argue that government regulations may not necessarily lead to better cybersecurity outcomes. Instead, they may create a checkbox mentality where organizations focus on meeting regulatory requirements rather than addressing actual security risks.

• Dynamic nature of threats:

Cybersecurity threats are constantly evolving, and what works today may not work tomorrow. Heavy government regulations could inadvertently lock organizations into outdated security measures.

---

What are your thoughts about stricter regulations on businesses for cybersecurity practices?

For more information about how you can greatly enhance security, reduce cost, and simplify the way you access your most valuable company digital assets, please reach out at any time.