The helpful strength of (cybersecurity) regulation
Regulation is a century-old mechanism to protect people, help them be treated fairly, provide trust to society in general, and help to make sense of the world. At the same time it provides guardrails to avoid common resources are ruined or stolen by dominant players.
I will illustrate this with historical examples and then extrapolate this to the use of regulation in cyberspace. Regulation is a strong force. I believe security leaders should use their energy to ensure the strong regulatory force is pointing towards a future digital society where people are safe, free and happy.
The Market Cross
Since 1504, the local authorities granted the town Fettercairn the right to hold markets and to erect a so-called market cross. These market crosses signify not only the place where markets are allowed to be held, but also the frequency and sometimes also the types of goods that can be sold. This helps both sellers and buyers to find eachother.
This type of market regulation is even older than that. In Birmingham, in 1166, a market charter was published that stipulated exactly which goods and on which days and times they could be exchanged on their local markets.
Regulating markets is a very old phenomenon, helping people that want to buy things by telling them where and when these are offered by merchants. Next to time and place, price and size are the other attributes that people need to be able to trust. The Fettercairn market cross contains an incription with the length of the local “ell”. People selling goods at this market, must specify their prices per “ell” so people can trust the merchants not to cheat.
In and many other old towns, public buildings near marketsquares often carry such measurements of length. In Regenburg, on the outer walls of the town hall you can still find metal objects depicting “height”, “shoe” and “arm” units of length. Merchants were obliged to calibrate their measuring tools with these to ensure a fair market. In those days, every city had their own metrics.
Time
Another important unit to standardize, was the unit of time. For us the usefulness of agreeing a standard for time is evident, but centuries ago, measuring time was not so easy or precise. Regulating time was done by authorities to ensure people’s actions and appointments could be synschronized. Churches and towers were used to carry large clocks and bells to communicate time to the villagers.
Next to measuring the time of day, standardized calendars have been important artefacts of rulers for thousands of years. Any society depends on food production and agriculture. Knowing when to sow and when to harvest was therefore existential.
Calendars and clocks not only set standards, they also encode and therefore share wisdom and knowledge into a common language and norms. This is an important quality of regulation: it acts as a multiplier of expertise to the wider audience and hence democratises wisdom.
In many churches you can find very old astronomical clocks that not only show time, but also the movement of planets and the moon. These clocks are masterpieces of engineering and bring together a wealth of scientific knowledge that was known at that time. For some it might be surprising to find works of science in a place of worship, but in those times, these mechanisms were seen as representations of the divine clockwork of the universe. The clocks were meant to provide meaning to people that live in a complex world full of events that were not understood.
Enablement and Control
Next to protect, ensure fairness and provide trust, regulation also contains elements of control. Setting standards without consequence for those that do not comply is not effective (unfortunately).
After the Pentland rising of 1666 in Edinburgh, the heads of the men executed on December 7th, were put on display at the local market cross.
Putting them on display was not only to impress the people but also to communicate the rule of power and consquence. The meaning of liability needs to be communicated and demonstrated in order to influence behaviour. Implementing consequence is necessary to make regulation effective, but it is not the goal of regulation.
The use of regulation
These examples illustrate important attributes of regulation:
- it organizes information and language,
- it defines and harmonizes units of time, length, measurements,
- it provides an external force to steer and align focus, energy and priority,
- it encodes expertise and wisdom and helps to make sense of the world.
Cyber regulation
In February 2020, the European Commission published policy documents setting out its vision for a “Europe fit for the digital age” in a response to the rapid development of technology. Since then, a large volume of new regulation is being published to requlate cybersecurity, AI, data and more.
For cybersecurity professionals, in particular the CRA, NIS2 and, for those working in the financial industry, DORA are top of mind.
Although we all now understand the value of regulation, having so much new regulation being created in parallel, can lead to uncertainty due to overlap or even contradictions. We all experience these. It illustrates not a downside of regulation, but it highlights the importance of a high quality regulation creation process.
Due to the fact that regulation is enforced as law by authorised parties in our society, it is a very strong force. Hence it is important that the regulation is clear, unambiguous, and moves actors in the direction that is intended. Intended because it is a result of democratic decision making but also because it encodes shared wisdom of practitioners. The quality of the process and people involved to create and evaluate regulation is therefore key. Only when these are of the right quality, regulation can help make sens of the world.
We need to make sense of cybersecurity. Cybersecurity is complex and the world is moving fast. Cyberspace has become a commonly held resource in our society. Without regulation, commonly held resources will be ruined.
The tragedy of the commons
The tragedy of the commons can be defined as a theory asserting that the unregulated use of commonly held resources by self-interested individuals leads to the ruin of those resources (Garret Hardin, 1968).
Following this reasoning, it is now clear that cyberspace needs coordinated and shared approaches for its usage. Without it, the will be ruined or stolen by a few dominant players. In our society, that type of coordination can only be done through regulation.
We should consider regulation as an astronomical clock making sense of the complexity of cybersecurity and provide some level of clarity for people and organisations to navigate this complexity. Experienced cybersecurity professionals should therefore not use their skills and authority to fight regulation or find clever ways to comply or dodge at minimal cost.
They should instead use their experience and wisdom to help create the right regulation. By doing that they create a strong force that help us move forward, and at the same time they share their wisdom by encoding it in rule.
Security leaders should therefore spend some of their time and resources in public-private cooperations that help create new or evaluate existing regulation.
Cyberspace is the fabric of our digital societies and through the means of regulation, security leaders and practitioners can ensure that our society evolves into a digital society in which people are safe, free and happy, avoiding the tragedy of the commons.
