Where’s Cybersecurity Regulation Going in 2024?
Navigate 2024’s cybersecurity landscape with resilience, reporting, responsibility, privacy, and AI readiness.
In this insightful piece, Greg Bulmash of GitGuardian analyzes the evolving cybersecurity regulations, emphasizing resilience, reporting, responsibility, privacy, and AI considerations. Stay ahead in safeguarding your digital assets.
If you have any doubt about the importance of cybersecurity to governmental bodies, follow the money. United States federal agencies tasked with protecting information and infrastructure security have seen 45-55% budget increases in the past two years. And that’s being mirrored around the world.
Regulation can be ponderous and slow. We know a lot about many regulations that will be implemented in 2024 because they’ve gone through multiple comment periods. The focus for 2024 is to watch for upcoming regulations to avoid being blindsided by them.
In 2024, we expect to see further regulation and activity in six main areas: Resilience, Reporting, Responsibility, Privacy, Standards, and Artificial Intelligence (AI).
1. Resilience
Resilience is like an onion. It has layers.
The NIST definition of resilience is: “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Anticipating, withstanding, recovering, and adapting are all layers.
Each layer will see updates to respond to new attack vectors, technologies, and best practices. To stay ahead of the curve, the key focus is dependability.
Ransomware and DDoS (Distributed Denial-of-Service) attacks fit the layered model of anticipating (you know they’re coming), withstanding (prevent/catch them), recovering (keeping critical systems working while you clean up the mess), and adapting (watch for new threats and update procedures and policies).
The importance of playbooks and training cannot be overstated. Training in day-to-day practices is important, but having detailed instructions on how to handle emergent situations (playbooks) will allow you to prevent more incidents and more quickly handle the ones that get through.
Additionally, regular audits for insecure data storage, API keys and passwords hardcoded in your code, etc., can close off common avenues of attack.
Resilience helps you prepare for upcoming legislation like the EU’s Cyber Resilience Act (CRA). Critics claim that software development standards like using 3rd party packages could be upended depending on the first test cases and where liability eventually lands.
2. Reporting
Reporting became a news item in November 2023. Imagine you’re a publicly traded company that gets hit with a ransomware attack. You decide to keep quiet, solve it yourself, and not pay. To an extent, that’s resilience in action. There’s only one problem… reporting.
The hackers you refused to pay threaten to report you to the Securities and Exchange Commission (SEC) for not reporting their hack under new rules. As some small measure of solace, the rules are so new they haven’t yet gone into effect.
Reporting is actually in your best interest. You’ve seen the pattern: companies that try to cover up or slow-roll an incident generally suffer greater reputational damage and sometimes incur fines.
The playbooks mentioned in the previous section should have a section on reporting. Understand which systems and kinds of data incur which kinds of reporting and how to make those reports. And keep your playbook up to date as those requirements mature.
See More: 5 Predictions for Generative AI Attacks and 5 Defense Strategies
3. Responsibility
As attacks increase, a lever to improve corporate compliance with new regulations will be increased responsibility placed on developers, manufacturers, and systems owners when their products or systems are compromised. These will come primarily in the form of increased penalties and liabilities embedded in laws and regulations going into effect in 2024, while expansions and increases will be proposed in new legislation and executive orders.
As mentioned in the Resilience section, the Cyber Resilience Act in the EU is gaining a lot of attention for the potentially hefty fines that can be levied against software and hardware makers for delivering insecure products to the market.
Again, one of your best ways of coping with this is to focus on your layers of resilience. The better you are at preventing, handling, and recovering from incidents, the less likely you’ll be hit with large penalties.
4. Privacy
Privacy doesn’t just mean a written privacy policy and a warning that you use cookies. New rules and regulations continue to evolve around how you store customer data, how long you retain it, who has access to it, and how much control you must give individual customers over it.
Look for rules around likenesses, voiceprints, and other biometrics. Even corporate executives are banging the drum. Warner Music CEO Robert Kyncl was quoted in September 2023 that “name, image, likeness, and voice” should be granted the same protections as copyrighted works. As these concerns move from beyond celebrities to everyday people, political pressure increases to expand protections for what makes us recognizably us.
Be prepared to secure better and give customers more granular control over that data. The EU and California both have privacy rule changes taking effect in 2024. Expect this area to remain active in 2024.
5. Standards
The cybersecurity agencies getting the big budget increases are responsible for researching, defining, and promoting best practices for security, privacy protection, etc.
Identity and authentication remain an important area of focus because many intrusions are based on compromised credentials.
A second and highly important area is cryptographic standards. Cryptographic algorithms continue to fall to new technology, sparking requirements for stronger ones.
While adopting a new standard may be as simple as updating a core cryptographic library, evaluating what integrations and connections could break is essential. Whether one or more cryptographic standards will be deprecated in 2024 is not a question. It’s a question of which.
6. Artificial Intelligence (AI)
Artificial Intelligence is the biggest reason we expect more security standards around using “image, likeness, and voice.”
Aside from the threats around identity theft and AI code-breakers, this will tie highly to election security worldwide. Disinformation campaigns by state-sponsored actors and motivated private citizens will create deep fakes of politicians and manufactured images of social strife to create outrage.
This could impact your business if you allow user-generated content. This can impact social media, review sites, forums, and companies that provide/host blogging software. Under the aegis of election security, regulations may impact how you receive, store, analyze, and display information.
On top of this, many are accusing AI makers of rushing their services to market with inadequate testing. That accusation became a major point of contention in the OpenAI firing of Sam Altman. It was highlighted when Google researchers found ways to make ChatGPT reveal pieces of its training data.
AI will face continued scrutiny as further vulnerabilities expose the “secret sauce” of personally identifiable information, credentials, and copyrighted works lurking beneath their surfaces. In terms of security, expect lawmakers and regulators to respond to the growing privacy implications.
Strategic Imperatives for 2024
The best way to avoid getting harmed or taken by surprise by new regulations in 2024 is to be vigilant in your resilience, standards compliance, privacy protection, and role in AI proliferation. As the penalties, fines, reporting requirements, and reputational damage that encourage responsibility get stronger, watching these areas and letting them inform your company’s infrastructure and code security standards will be crucial.
How is your organization gearing up for 2024’s cybersecurity changes? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON CYBERSECURITY REGULATIONS
