As a result of the recent Colonial Pipeline breach, “in many ways, the taboo that surrounded the idea of regulatory interventions for cybersecurity have been broken,” Andrew J. Grotto, former White House cybersecurity policy director said at the ABA’s sixth annual Internet of Things (IoT) National Institute.
While the ransomware attack “may be the nail in the coffin,” Grotto said he believes sentiment has been shifting toward regulation “for some time now.”
Grotto, who served in the Obama and Trump administrations and is now a fellow at the Hoover Institution, took part in a “fireside chat” with UC Berkeley Law School lecturer James Dempsey on “There Ought to Be a Law? The Need for IoT Privacy and Cybersecurity Legislation.” The two-day online institute covered the latest IoT topics including regulation, enforcement, legislation, crisis/pandemic; complex legal issues concerning contracts, negotiations, insurance, global supply chain and the environment.
“In an ideal world,” Grotto said, cyber risk could be treated the same way we treat emissions: “set a clear, objectively measurable result” that needs to be met. The key, he said, is measurement.
“If we can pin down with more accuracy and precision risk mitigation” tied to outcomes, “that would be a big step.”
Europe has taken a broad-based approach to privacy, where governments set a baseline across all sectors of the economy, while the U.S. has approached it with sector-specific laws.
Grotto said he’s “drawn to a baseline approach, certainly for a certain class of products like IoT devices,” while Dempsey said, “We’re always going to need some sector-by-sector approach.” He added that what works for a nuclear power plant won’t necessarily work for a car.