What comes to mind when you hear the phrase “cybersecurity ecosystem”? I think of all the actors and participants that have a need to deliver operational security, those who can enable the delivery of operational security, those who benefit from it, those who threaten it and those who deal with the consequences of insecurity. This captures a huge array of people and organisations, with myriad skill sets. For example, we might identify those with a need to deliver operational security as a company, or a public body, or a school, church or charity. The enablers of security might be technology companies, product manufacturers, distributors and retailers, professional service providers, affinity groups, think tanks and Parliament. The beneficiaries might be ordinary people, or business partners. Those who threaten security might be a hacker, rogue insider, a careless person or simply one just having a bad day. Those who deal with the consequences can be the incident responders, the police, the courts, the regulators, insurers.
We can jumble things around and a different picture forms. For example, an enabler looked at through a different lens might be seen as a threat to security. A current example is found within section 122 of the Online Harms Bill, which presents a threat to end-to-end encryption, albeit probably not an immediate one, so in that sense Parliament, which is usually an enabler of security, instead generates a risk. Or what about the security researcher? They enable security by helping to spot vulnerabilities, but sometimes they might cross a line into computer misuse offences and as their white hat turns a shade of grey, they can be described as a threat. Similarly, think about technologies companies: for every enabling act of security, there is a corresponding enabling act of insecurity, which is why we talk about bugs in code and bug bounties being on the same continuum of issues as zero days. Think about the beneficiaries - you, me, us - and you know we will be victims now and again.
Is this perspective on the cybersecurity ecosystem and the categorisation of actors helpful? I think so, because it provides a framework to think about the issue of duty and how the law should address the idea of what duty consists of, when it should and why. When we get to that point of deduction, we see another significant issue emerge, which is that huge swathes of the cybersecurity ecosystem are unregulated, or under regulated, or unclearly regulated. There are large areas where a regulatory gap exists and to my mind at least, it is something that we need to understand.
Perhaps one way to conceptualise the issues is to list as quickly as you can the areas where you know regulation exists and who the regulated actors are. Take sixty seconds and see what you come up with.
I expect that most of you will have identified the GDPR and its controllers, processors and data subjects. Many of you might have remembered NIS, the operators of essential services and digital service providers. Perhaps DORA came to mind, snagging you some of the financial services sector. Or the Communications Act, for telcos. And isn’t there some other stuff on the cards about technology manufacturers? From there most of us will likely run out of ideas.
Now, play the game from a different angle, from the ecosystem, bottom up. What’s the duty for company directors who represent the controlling mind? Or what about the CISO? Or the MSSP? Or the SI? Or the management consultant? Or the pen tester? Or the security researcher? Or the lawyer? Have we got the crimes nailed down? What about the evidential issues within the criminal justice? Do we have any views about the regulators, or the courts? Is there access to justice for victims?
Regulation of the cybersecurity ecosystem has been described as a “patchwork of primary and secondary legislation”. It's a good point, but when I read that, I imagine a patchwork quilt that provides a total coverage, albeit assembled from bits and pieces.
However, in my mind's eye I see something different. What’s the phrase for a quilt with great big holes in it?