I just had a slightly shocking experience. I was participating in a great end-of-year webcast for Infosecurity Magazine, hosted by deputy editor, James Coker, and featuring Diana Kelley, CISO of Protect AI, and Brian Honan, owner of BH Consulting. James asked the three of us what we considered to be the most positive development of 2023 and I was surprised that we all offered the same response. 

Now, while security folk can at times be a little <cough cough> argumentative, it’s not necessarily surprising that we agreed with each other. Security people frequently agree that increasing reports of ransomware attacks are concerning. We agree that it’s terrible that phishing is still the number one attack vector, and that we still see known vulnerabilities like cross-site scripting and buffer overflows occuring. You’ll often hear security professionals agree that working in security is hard, and supply chain risk is a huge problem.

So it wasn’t the agreement that was shocking, but rather the topic we were all agreeing on. Specifically, all three of us commented that the most positive development in cybersecurity in 2023 has been the focus and engagement of government policymakers. 

Part of what makes this interesting to me is that Diana is American, Brian is Irish, and I’m British. We were commenting not just on one government that happens to be ahead of the curve, but rather multiple different governments engaging on cyber policy. Though, I will say there was a lot of love going in particular to the European Union, with special call outs to the EU AI Act and its Cyber Resilience Act. I appreciate opinions vary on the specific details of these bills. But there does seem to be general security community support for establishing expectations for developers and vendors of technology to incorporate agreed best practices into their processes to avoid unnecessary risk for users.  

Is agreement on policy so surprising?

The security community has a checkered past - or present for those following the CTI League hearings or the SEC’s charging of Solarwinds CISO, Tim Brown - with government policymakers. Controversial issues such as encryption backdoors, security disclosure requirements, and private sector hack back have often resulted in security professionals decrying the efforts of policymakers. Just last month I spoke about government intervention at an event in Dublin and a member of the audience commented that he wished “They would just leave it alone.” So Diana, Brian, and I all lavishing praise on policymakers did seem surprising. 

This was particularly so as we didn’t just call out government engagement as a positive, but rather as the positive development of the year. Perhaps this speaks to how gloomy other aspects of security appear. The lack of progress in driving adoption of security baseline activities. The previously mentioned recurrence of known vulnerabilities and lack of traction in the fight against ransomware. Perhaps government engagement is really the only bright spot. But then again, don’t all those negative points just speak to why government intervention is so necessary at this point? 

Perhaps people will say I shouldn’t be surprised that policy came up given that I’m a shameless policy wonk. As well as sitting on the board or advisory groups of a number of policy-adjacent nonprofits like the Center for Cybersecurity Policy and Law, I also serve on a few advisory boards for the UK government. I even co-host the Distilling Cyber Policy podcast, which you should totally check out! 

Similarly, Brian sits on an advisory group for the European Union’s Agency for Cybersecurity, better known as ENISA. And while I’m not aware of Diana having any particular policy affiliations, she’s the CISO for a company focused on the security of AI, which is a very hot topic in policy circles at the moment. Maybe we just coincidentally ended up with a panel of security pros biased towards policy engagement.      

Changing attitudes?

On the other hand, perhaps attitudes in the security community are changing. Earlier this year, I blogged about policymakers participating in security industry events. For example, Policy @ DEF CON grew significantly this year, with three dedicated tracks of policy content running throughout DEF CON, and more than one hundred policy-related talks submitted to the CFP. This doesn’t just reflect a level of commitment from policymakers, it also reflects a level of interest from security professionals. 

Similarly, when I put out a survey to see how UK security professionals view cyber policy efforts, 93% of respondents indicated that they are interested in working with policymakers to help shape policy outcomes for cybersecurity. Just over half (53%) of respondents indicated confidence that they understand the UK’s National Cyber Strategy, suggesting that they are paying attention to these kinds of developments. It’s likely there is some selection bias there as people who responded to the survey probably already had some kind of interest in policy, but 82% of respondents indicated that they don’t feel they have access to engage in policy, so it wasn’t all people like Brian and me. 

It feels to me like many security professionals have started to come to the conclusion that while we might like to avoid government intervention and work things out for ourselves, the reality is that free market forces have not solved security issues or even nudged us in the right direction. In many cases, the reverse is true. Market forces have incentivized anti-security behaviors that increase risk. For example, when vendors try to hide security incidents or vulnerabilities to protect their reputations, rather than prioritizing mitigation and transparency to protect those affected. 

Numerous examples of this kind of behavior, and the long term societal, economic, and national security impact created, is exactly what is driving policymakers to engage in cyber policy. And for all of us security professionals sitting around agreeing that our jobs are hard and supply chain risk is a real problem, perhaps we’ve finally realized that the right kind of government intervention can help. The key here is in ensuring policymakers, security experts, and industry all work together to find the right balance and ensure that policy addresses the right problems in the right way.