According to these publications, the US is working on revamping the cybersecurity regulatory framework to move away from a regime that is currently based on voluntary threat assessment and management to one that is based on regulations enforced by the federal government. The move comes in wake of increasing cyberthreats to IT, IoT, and OT-based infrastructure emerging from the ongoing conflict in Eastern Europe among other factors.
US lawmakers and regulatory agencies have identified the following trends as reasons for concern:
- New threats emerging from APT groups and actors connected to the conflict and other countries harboring adversarial intentions against the US
- Lack of a disciplined approach to cybersecurity by businesses
- Voluntary regulatory requirements are not being met
- The tendency to attribute successful cyberattacks to the extraordinary skills of hackers and the groups they are part of
- In the pandemic era, businesses that are now bouncing back from periods of low revenue and growth are now focusing on growth rather than cybersecurity measures to protect and sustain growth
- The threat perception of businesses in certain sectors is not aligned to ground realities
- Current discretionary measures are not encouraging businesses to address cybersecurity concerns on priority and treat them with the same level of seriousness as that of health and safety and environment-related priorities that are highly regulated
Such trends could lead to a complete overhaul of cybersecurity legislation and the US may even bring in sector-specific regulations to improve the cybersecurity posture of the US as a country by getting businesses and industries as a whole to shrink postural gaps through regulatory compliance measures.
With improvements in malware development and payload delivery mechanisms, hackers are increasingly staying a step ahead of countermeasures. However, businesses that have multiple levels of cyberdefenses and operate with requisite levels of awareness and diligence often detect and prevent cyberattacks. Further, companies that have invested in building and operationalizing a comprehensive cyber governance regime internally and across their supply chains are at a clear advantage as compared to peers who are focused only on operational aspects and revenue.
Is a cybersecurity overhaul the way forward?
Governments in the UK, Singapore, India Australia, and UAE are working on some form of regulatory intervention to get businesses to pay more attention to cybersecurity. Governments in these countries are also facing the same challenges that the US government is facing in getting businesses to voluntarily adopt and comply with better cybersecurity practices and report incidents early. Legislations enacted by the US may also trigger similar legislation in other countries that are not considering any cybersecurity-related legislation at present.
However, one factor that we need to consider while relying on regulations is the ever-changing threat landscape. Every fortnight we are seeing the emergence of new actors, threat vectors, breach tactics, and collaborations. Access to complex malware and multi-loaders is now easier than ever and we have seen a significant deterioration of the threat environment since 2020. Thus, in addition to regulatory mechanisms, there should also be a commitment to modify these regulations periodically to keep them relevant and aligned to the threat environment and other important dynamic factors that have a bearing on cybersecurity.
Regulations should also encourage businesses to collaborate on best practices at an industry or a peer-to-peer level on cybersecurity issues. To learn more about how to improve your compliance posture, download our compliance kits.
Join our upcoming webinar: Key Takeaways from the Sectrio’s Global Threat Landscape Assessment Report 2022
IoT and OT focused threat Intelligence feeds free for 15 days! Try it right now: Threat Intelligence
We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.