In Silicon Valley startup culture, “cookie licking” is a derogatory phrase. A cookie licker stakes a claim to a project in a way that prevents anyone else from having it, despite not having the ability to immediately execute on the project. The licker wants to save the delicious opportunity despite being too full to eat it immediately.
Sadly, cookie licking also comes to mind when we see the regulatory sharks circling in emerging tech areas such as cryptocurrency, artificial intelligence, or cybersecurity. As a former federal cybercrime prosecutor, appointed Obama administration cyber commissioner, and corporate information security executive recently convicted of cyber-related crimes, I have seen this up close more than anyone.
Twenty-five years ago, when I was tasked with bringing federal enforcement actions to protect people on the internet, my peers and I figured out one thing really quickly: The internet is different from any other place where law enforcement is expected to protect people because most of the internet is operated and managed by the private sector. Keeping people safe on the internet requires the government to invest in public-private partnerships and set clear expectations for those private sector entities. Back then, we also had to rely on legal codes crafted by Congress long before the internet was a twinkle in Al Gore’s eye. The law was not sufficient then, and it isn’t now.
Regulation by enforcement not the answer
Indeed, decades later, Congress has done little to establish rules of the cyber road or even articulate which authorities should be our cyber cops. The executive branch may have little choice but to do what it is doing now: Establish expectations for the private sector through regulation by enforcement. This is not ideal for anyone because regulation by enforcement doesn’t give corporate actors clarity on the rules of the road and empowers regulators to jump into any area that seems sexy without the requisite foundations of expertise, resources, and expectations. It is particularly dangerous when it leads the private sector to become afraid to work closely with the government to keep people safe.
The growing adversarial relationship is fueled by another unfortunate reality: Most of the malicious criminals who hurt Americans over the internet do so from outside the United States, where too often our law enforcement authorities are incapable of bringing justice to bear against those intent on harming others. Often impotent against these external actors, to many people in the industry it seems that enforcement authorities have shifted their gaze to the private sector as the easiest way to demonstrate to the public that they care.
When the SEC announced on Monday that the agency was initiating proceedings against a security executive at SolarWinds, the corporate information security executive community shook in its boots. Until now, the SEC has never taken public action against an information security leader, and most are struggling to understand why a person in a technical, operational role who was not responsible for legal disclosures would be in the SEC’s crosshairs. Even worse, it seems his efforts to point out security deficiencies inside the organization are being used against him.
Real public/private partnership needed on cybersecurity rulemaking
Does it make sense for the SEC-an agency whose mission is to protect investors and promote fairness in the security markets-to be inserting itself and becoming experts on cybersecurity practices? Or better for regulations to come forward developed by policymakers in close partnership with security engineers and professionals, cyber executives, and former hackers turned good?
I’ve seen this unfold before–and from an unfortunate front-row seat, sitting in federal court, facing criminal charges related to a security incident investigation I led in 2016 as the chief security officer of Uber. I successfully protected the personal information of millions of our customers and drivers, but because the US Federal Trade Commission (FTC) felt that the company failed to keep the FTC apprised of the matter, the Department of Justice decided to prosecute me for obstructing justice and concealing a federal crime.
The parallels are striking. Neither the FTC nor the SEC was empowered by Congress with responsibility for cyberspace, and both have relied on pre-existing authorities related to corporate representations to bring actions against individuals who did not have corporate duties managing legal or external communications. They are using the tools at their disposal to change expectations, even if it means bringing a bazooka to a knife fight. These cases make CISOs worried that in addition to being technical experts they also need to personally become experts on data breach disclosure laws and experts on SEC reporting requirements rather than trusting their peers in the legal and communications departments of their organizations.
What we need is a real partnership between the public and the private sector, clear rules and expectations for IT professionals and law enforcement, and an executive branch that will attempt regulation through rulemaking rather than through ugly and costly enforcement actions that target IT professionals for doing their jobs and further deepens the adversarial public-private divide. Only when we get to that place of real partnership will we all together be able to truly keep people safe online.