The Problem With Cybersecurity (and AI Security) Regulation

With the emergence of generative models, and large language models (LLMs) in particular, and the meteoric rise in the popularity of ChatGPT, there once again are calls for more security regulation. 

As expected, the immediate reaction to a new and unexplored technology is fear, which may result in regulatory overreaction. Although I think security regulation has its merits, we must remember that it doesn't always achieve more security. Here are a few examples of security-related regulations that sounded like a good idea at first but achieved the opposite result. 

PCI-DSS is a security standard developed by the credit card industry that applies to anyone who wants to swipe customer cards, or more technically, to anyone who stores, processes, and/or transmits cardholder data. Version 1.1 of the standard was developed in 2006 and required a minimum password length of seven characters. That may have been good enough at the time, but today's standard hardware is able to crack such passwords in anywhere from a few days to less than a second.

In March 2022, the standard was updated to a minimum length of 12 characters (or, if a system doesn't support 12 characters, a minimum length of eight characters). Nevertheless, this requirement is merely a best practice until it becomes binding on March 31, 2025. But while 12 is better than seven, this too will become crackable in the coming years. 

Security regulation that is very specific becomes outdated very quickly. 

The Downside of a Regulation Being General

The flip side of specificity — namely regulation that is too general — can also have a detrimental effect on security. The European General Data Protection Regulation (GDPR) comes to mind as an example of such a case. GDPR aims to protect personal information. According to the regulation, personal data is any information that relates to an identified or identifiable living individual. As you can see, the definition of personal data is very wide and all encompassing. It was already ruled by the Court of Justice of the European Union that IP addresses constitute personal data of the user. It's no wonder then, that security departments are in a constant battle with legal departments around the question of which logs they can collect to keep the organization safe.

As any blue-team professional will tell you, logs are crucial in providing visibility of the environment we are trying to protect. Without logs, we are mostly blind to both benign and also malicious activity on the network. Nevertheless, if logs can carry personal information of employees, customers, and suppliers, is it worth being more secure at the expense of risking to be fined up to 4% of global turnover? Unfortunately, due to the broadness of the regulations, organizations tune their answer to these questions mostly based on the conservativeness of the legal department.

Everyone Has an Opinion About Regulation

Finally, we must also remember that any regulation is a product of never-ending debates and negotiations between different stakeholders, legislators, political lobbies, and industry and interest groups. As such, the final regulation draft will always reflect compromises that were made along the legislative journey. Unfortunately for us, in the security realm, any such compromises create suboptimal security and regulatory openings that may be exploited by attackers. 

Therefore, we must remember that being secure and being compliant with regulations are two distinct things. It is not a coincidence that compliant organizations may still get breached, because compliance does not guarantee security. This result is quite disturbing, since it undermines the fundamental raison d'être of security regulation. If it's not there to ensure that we are truly secure, then why even bother?

A few years ago, several researchers published a paper that analyzed the effectiveness of regulation that imposed the obligation to have car safety seats for children. According to the researchers, US states have gradually been increasing the age at which children are required to use child safety seats since 1977. Because many standard-size cars cannot accommodate three child seats in the rear, these restrictions considerably increased the cost of having a third child. The researchers further estimate that 57 fewer children died in automobile accidents in 2017 as a result of these policies across the country. At the same time, they were responsible for the long-term drop of birth rates, which has resulted in 145,000 fewer births since 1980, with 90% of that loss occurring since the year 2000. It's easy to see then, how good regulatory intentions can turn out to have a negative effect. 

Before imposing more security regulations upon organizations, we must ask ourselves: Are we really improving security, or are we just imposing more regulation?