Regulating for Cybersecurity

Warsaw Enterprise Institute (June 2021)

in Polish, with Maciej Troć

The full text of the report (in Polish) can be downloaded here.

This report gives on overview of the problem of cybersecurity and discusses four models of regulation aimed at improving cybersecurity relevant for Poland and the European Union. We argue that all four models should be used, but the details of their implementation need to be assessed carefully, to avoid security theater and disproportionate compliance costs. We also caution against a false sense of security: no amount of regulation can guarantee cybersecurity.

The four models we discuss are:

Coordination and exchange of information. The asymmetrical nature of cybersecurity, where defense at a disadvantage relative to offense, calls for sharing of valuable technical knowledge among those engaged in defense. We support the planned changes in Polish law (in the draft National Cybersecurity System Act — the NSC Act) intended to promote coordination and exchange of information, but we note the reporting duties for businesses will only be proportionate if the reports are going to be analyzed and used, which may be difficult given institutional constraints in Polish public administration.

Certification of suppliers, products and services. We support the draft NSC Act in its aim to provide a framework for cybersecurity certification in Poland. The NSC Act is right to keep certification voluntary and any exceptions to that should be subject to rigorous impact assessment, especially assessing the additional benefits of obligatory certification in a zero trust security model.

Supporting security research. Polish criminal law relevant to security research (e.g. penetration testing, development of exploits) was liberalized in 2017, but the risk of criminal liability is still unacceptably high. We suggest amendments in the Polish criminal code that would remove unnecessary ambiguity and appropriately reduce the scope of now over-broad legal rules. We also discuss the desirability of greater use of bug-bounty programs by Polish public administration.

Legal liability for incidents. Civil liability for cyber incidents is not effective enough today to incentivize discovery and implementation of adequate solutions for cybersecurity. We thus suggest opening a debate on adopting strict liability of businesses that process personal data of consumers for damages from breaches of confidentiality, integrity, and availability of the data. The kind of liability we envisage would go beyond what is provided in Article 82 GDPR.