Can we legislate for transparency to improve cybersecurity?

It’s widely accepted that greater transparency is necessary if we’re to have a safer and more secure software ecosystem. The SolarWinds hack underlined this fact: the full extent of the hack took so long to emerge not only because of the clandestine nature of the attack, but also because the organizations affected didn’t share information about what had happened and when. But how can we tackle this? According to Brad Smith, the Microsoft President and Chief Legal Officer, the answer lies in legislation.

At a congressional hearing in response to the SolarWinds attack, Smith said that “silence reigns” when private companies are hacked. “We need to replace this silence with a clear, consistent obligation for private sector organizations to disclose when they’re impacted by confirmed significant incidents,” he argued.

It isn’t that surprising to hear Microsoft call for more legislation: laws lead to standardization, and standardization will almost always help the largest players in the market. Indeed, Smith didn’t even hide this fact. As The Register noted, Smith “argued that the size and scope of the hack meant that it was more important than ever that everyone move their computing to the cloud.”

However, while Smith clearly has a vested interest, that doesn’t mean he’s wrong. Legislation might not stop cyberattacks from happening, but it can, at least, help the industry to have a more honest conversation about it.

This isn’t just about pointing the finger at companies that make mistakes. A climate of shame and blame is the last thing we need; it will make the tech industry a cagey and unpleasant place to be (some might say it already is), and in particular it will make life more difficult for the people that need to be trusted and empowered — security professionals.

It’s really about recognising that in today’s highly connected economy (and software landscape), no company is an island. As SolarWinds proved, the opportunities that the SaaS and PaaS markets provide the industry, also connect and link it together, making organizations vulnerable to similar threats and the same issues of resilience and reliability.

Don’t we already have regulation where it’s needed?

The argument might be made that we already have regulation in place where it’s needed. In the public sector, aviation, healthcare, software has to jump through many more hoops for approval as part of the procurement process — that means, the argument goes, that where cybersecurity is most important, there’s enough oversight in place to ensure that vulnerabilities and risks are kept to a minimum.

While this distinction is important, it’s also out of date. You can’t impose arbitrary distinctions between markets in today’s software world; networks and systems are inextricably connected. Of course, sometimes that’s obvious; but occasionally it’s subtle and almost impossible to see.

True, we don’t necessarily need blanket legislation. There must be sensitivity towards context, otherwise the situation will only become more complex — the exact thing we’re trying to manage in the first place. But we do need something that can help us all — whether we’re working in huge corporations or small businesses — to better secure our software and give customers and users confidence that their interactions with us are safe.

This problem isn’t going away

This problem isn’t going to go away. If anything the problems are likely to become more urgent and visible. As the world starts to find more applications for IoT, for example (something that hasn’t really happened as extensively as many people predicted back in, say, 2015), the ways in which software systems, products, supply chains, and more are going to be connected to one another is only going to become more sophisticated.

Indeed, IoT regulation is still in its infancy, and it doesn’t seem as though anyone’s been able to find their footing. That’s all well and good while it remains an emerging part of the economy, but if it does find its way into the mainstream, ensuring that standards are met and that software is secure won’t simply be a nice to have, it will be critical for the safety of millions of people.

Of course, this isn’t to say that legislation needs to be crafted from a place of fear. That’s never a smart place to begin. If we do, we’ll end up with something punitive, which doesn’t help anyone. However, if everyone in the cybersecurity industry can be proactive in calling for the rules they need to support and validate them to work in the way they know they should, then we will at least be in a good place to begin this long and challenging journey over the decades to come.