Wake Up Call: The Privsec Enforcement Problem

As part of a set of three articles to mark Data Privacy Day 2023 (see accompanying articles by Jakub Lewandowski and Thomas Bryant ), Bill Mew argues that there is a real enforcement problem – it’s like the ‘Wild West’ out there.

Policies, frameworks, and rules are only helpful if adhered to, just as regulations and laws are meaningless without enforcement. The problem with the data privacy and cybersecurity arena is that where rules should be applied, they are frequently ignored, and where laws have been introduced, there needs to be more enforcement.

CISOs (Chief Information Security Officers) have a thankless task. Staff is usually reluctant to abide by the cyber hygiene measures that a CISO seeks to enforce, but when their lack of discipline results in a breach, these colleagues are too quick to pin the blame on the CISO. On top of this, while there are costly and complex regulations to abide by and strict rules on breach reporting, the authorities, far from helping to deal with any incident or catch the actual criminals, simply use the reporting to assess the allocation of fines.

Functional, Cultural Mismatch

If asked, most staff would agree that cyber threats are a significant issue, but in their day job, they focus on revenue or profit-centric ROI (return on investment) metrics. These are the metrics on which their individual and unit performance are measured and what company-wide incentive policies are structured to support.

The CISO is instead focused on return on risk (ROR). Based on the allocated budget and the organisation’s risk appetite, the CISO focuses on maximising security and minimising risk.

The mismatch between the CISO’s ROR orientation and just about everyone else’s ROI orientation can put the CISO at odds with the rest of the management team. They may not only become isolated (what I term CISOlation) but can also be a scapegoat when things go wrong – even when warnings are ignored.

Perverse regulatory incentives

In an accompanying article, Jakub Lewandowski [LINK] has explored the raft of new privacy and cybersecurity laws expected to add to a considerable regulatory burden. The problem is that regulation without enforcement is not just pointless but counter-productive. After all, only responsible companies will comply with these regulations, and for them, it represents a cost or compliance tax. Meanwhile, irresponsible ones often choose not to abide by the rules. If they believe that there is little or no risk of enforcement, then this is a cost-saving and risk-free source of competitive advantage.

Lack of compliance is widespread and comes from the top, with frequent headlines about BigTech suffering data incidents or incurring fines. Such fines appear not to be working as a deterrent but are instead being viewed as an additional cost of business by BigTech firms and many others unfortunate enough to have suffered a data incident.

Again, responsible firms that did their best to take reasonable measures but were unfortunately unable to prevent mistakes or attacks run the risk of being fined once they notify the local regulator. Meanwhile, irresponsible ones who choose not to comply will simply avoid reporting incidents and attempt to cover them up instead to avoid fines. Fines have, therefore, become more of a lagging indicator of misfortune for responsible firms rather than of misbehaviour by irresponsible ones.

Record of Regulatory Inaction

Most BigTech firms, attracted by a favourable tax regime, have opted to base their European headquarters in Ireland. The local regulator, DPC Ireland, is therefore responsible for ensuring that they comply with GDPR and other such regulations. Whether down to inadequate funding, reluctance to rock the boat, or simply out-gunned and out-lobbied by the BigTech firms, DPC Ireland has been seen as ineffective in holding them to account.

In one notable case, measures it failed to take against Facebook were eventually resolved in the European High Court under the Schrems I and Schrems II rulings. When it still failed to take action and apply these rulings, DPC Ireland was sanctioned by the European Parliament in a vote of 451 to 1. When further lobbying by regulators across the rest of Europe forced it to take action after a two-year delay eventually, the fine that it levied against Facebook was so low that it had to be increased (tenfold) at the insistence of the other regulators.

The EU Ombudsman Emily O’Reilly eventually opened an inquiry into the European Commission’s monitoring of how data protection rules are applied in Ireland. Eight months later, the Irish Council of Civil Liberties (ICCL) criticised the EU for its continued failure to properly monitor Ireland’s GDPR enforcement while “the fundamental rights of all Europeans hang in the balance.” There are now moves afoot to strip Ireland of its responsibility for regulating the BigTech firms and centralise such enforcement instead.

Ineffective Global Policing

Meanwhile, the number and sophistication of cyber-attacks are increasing exponentially, as is the cost of remediation. The World Economic Forum (WEF) has recently not only called for more widespread use of cybersecurity ‘fire drills’ to test cybersecurity and incident response capabilities but is also championing the need for global rules to crack down on cybercrime.

The damages incurred by all forms of cybercrime, including the cost of recovery and remediation, are thought to have totaled $3 trillion in 2015 and $6 trillion in 2021 and could reach as much as $10.5 trillion annually by 2025.

Cyber insurance isn’t the answer. Rapidly increasing premiums mean that it is out of reach to most buyers, but even those who can afford it often find it’s not worth it. At the same time, cyber insurance cannot be expected to cover systemic problems, and in any case, it has the perverse effect of potentially making bad problems even worse.

While almost all nations have signed up for United Nations agreements on combatting crime, including cybercrime, some nations turn a blind eye and instead provide safe havens for cybercriminals to operate from. While most cybercrime originates from countries like Russia, Iran, or North Korea, such activities are not confined to these rogue nations and continue closer to home. In addition, countries like China have significant espionage operations, and the United States is responsible for a great deal of global mass surveillance – all of which contravenes GDPR and a host of other laws.

We need to start with mandatory data breaches and cyber theft reporting. This has begun in the US with 2022’s Cyber Incident Reporting for Critical Infrastructure Act and in the EU with 2018’s Directive on Security Network and Information Systems. Still, there are also a host of other regulations that mandate telecom payment services, medical device manufacturers, and critical infrastructure providers to report breaches.

Once we have better data on the problem, we can focus on improving international investigation, prosecution, and adjudication efficiency and effectiveness. The United Nations Office on Drugs and Crime is promoting a Cybercrime Programme which has the following aims:

• Increased efficiency and effectiveness in the investigation, prosecution, and adjudication of cybercrime, especially online child sexual exploitation, and abuse, within a strong human rights framework.
• Efficient and effective long-term whole-of-government response to cybercrime, including national coordination, data collection, and effective legal frameworks, leading to a sustainable response and greater deterrence.
• Strengthened national and international communication between government, law enforcement, and the private sector with increased public knowledge of cybercrime risks.

These are laudable goals. However, we are a long way from victims of crime being able to pick up the phone to police at the local, national, or international level with any expectation of getting either practical assistance or justice. The reality is that when it comes to cybercrime, aside from private sector incident response specialists, you’re on your own.

• Staff are rarely adequately disciplined about cyber hygiene
• Regulators are not proactive in tracking down and countering non-compliance
• Criminals are growing in confidence, intensity, and sophistication
• Police are unable to act against criminals operating from safe havens
• And CISOs are the default scapegoat when things go wrong

In this ‘Wild West’ environment, there isn’t any cavalry going to the rescue, so you are expected to be adequately armed and ready to defend yourself. Take hints from Thomas Bryant’s article and learn how to deal with it best. There is no substitute for getting your cybersecurity and incident response right.