* By Ido Sivan-Sevilla, CyAN member and Gabi Siboni
– The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of CyAN –
After three decades of widespread development in digital technologies and telecommunications, it has become evident that cybersecurity cannot be adequately ensured by the market’s “invisible hand.” Cybersecurity market failures call for state intervention to advance the public interest and mitigate cybersecurity risks. These failures include underinvestment by companies in cybersecurity due to partial externalization of data breach costs, lack of efficient information-sharing due to anti-trust laws, and the absence of product liability for software and hardware solutions. In contrast to the engaged role states play in advancing the public interest vis-à-vis other high-risk domains such as food safety, transportation, health services, and financial operations, states are yet to engage in systematic private-sector cybersecurity risk regulation.
The creation of regulatory regimes to enhance cybersecurity entails the establishment of norms, rules, monitoring procedures, and enforcement practices for minimizing harm to the public. The vulnerability of digital technologies creates risks to critical infrastructures, business continuity, intellectual property, trade secrets, and consumer privacy. Cybertechnologies are used across all sectors and for an increasing number of purposes, even though their security cannot be completely assured. Despite this, we still lack the ability to completely understand and prevent software and hardware from failing. This inability to measure cybersecurity makes regulatory intervention a significant challenge and pushes regulators to avoid the traditional command and control methods of state regulation. Such an issue is exacerbated by the rapid pace and associated uncertainty of technology development, as well as the involvement of a vast number of stakeholders from the government, private, and scientific communities.
A comparative analysis of cybersecurity regulations across the United States, European Union, United Kingdom (UK), France, Germany, and Israel reveals a variety of risk approaches, levels of investment, degrees of institutionalization, and positions on the influence of intelligence bodies. Still, a common theme emerges: the lack of systematic effort by those states to address cybersecurity in the private sector. Many states have rapidly increased their cybersecurity budgets in recent years and have expanded efforts to build capacities in the realms of information sharing, cybersecurity standardization, and risk management plans. However, no state currently provides systematic guidance to the private sector as a whole to ensure national security in the face of private-sector cybersecurity breaches.
Dr. Colonel (Res.) Gabi Siboni is the director of the Cyber Security Program at the Institute for National Security Studies (INSS), Tel Aviv University, and the CEO of G. Bina Ltd. a cybersecurity consulting firm.
Ido Sivan-Sevilla is a research fellow in the Cyber Security Program at the Institute for National Security Studies (INSS). He writes his PhD thesis on regulating emerging cybersecurity and privacy risks at the Hebrew University of Jerusalem.