Why Europe’s DORA regulation is a band aid but not a cure

Please fol­low and like us:
Pin Share

When­ev­er there’s a glob­al finan­cial calami­ty, whether it’s on the hori­zon or if it has already hap­pened, you can expect to see a flur­ry of reg­u­la­tion to stem the flow of dis­rup­tion. Even as far back as the 1720’s, Britain enact­ed the Bub­ble Act, to reg­u­late the stock mar­ket after the South Sea Company’s stock bub­ble burst amid accu­sa­tions of insid­er trad­ing and to cool down inflat­ed mar­kets. The Great Depres­sion spawned the Emer­gency Bank­ing act of 1933 in the Unit­ed States, and the 2008 cred­it crunch pre­cip­i­tat­ed Dodd-Frank in the U.S., and in Europe, MiFID and ESMA. There’s no end in sight for reg­u­la­tors because just as the ink is dry­ing on one piece of leg­is­la­tion, anoth­er event or inno­va­tion emerges that requires attention.

Reg­u­la­tors will always be on the ham­ster wheel of change, nev­er quite get­ting to the point where they can claim vic­to­ry over errant mar­kets, and per­haps the next decade will see their tough­est chal­lenges yet. While they are still finess­ing tra­di­tion­al mar­ket reforms, they now have to ensure that users of the expand­ing Web3 ecosys­tem — defined by blockchain, decen­tral­ized finance (DeFi) and cen­tral­ized finance (CeFi) plat­forms, includ­ing dig­i­tal assets — are pro­tect­ed from being exploit­ed by crim­i­nals and oth­er bad actors.

DORA’s broad reach

The Euro­pean Council’s recent approval of the Dig­i­tal Oper­a­tional Resilience Act (DORA) is the lat­est addi­tion to the raft of reg­u­la­tions that are cur­rent­ly in the pipeline. DORA aims to con­sol­i­date and har­mo­nize essen­tial cyber­se­cu­ri­ty require­ments regard­ing dig­i­tal resilience in the finan­cial sec­tor. Under DORA, there are 21 types of finan­cial insti­tu­tions in its scope, includ­ing large enter­pris­es like banks, insur­ance com­pa­nies and pen­sion funds as well as small­er dig­i­tal e‑money providers, token issuers and cryp­to asset providers.

The DORA reg­u­la­tion is part of a broad­er Euro­pean pack­age of pol­i­cy mea­sures for fin­tech that includes pro­posed reg­u­la­tion on cryp­to-asset mar­kets (MiCA) and one on dis­trib­uted ledger tech­nol­o­gy (DLT). In view of the recent FTX fall­out, it comes at an oppor­tune time as the knock-on effect of the col­lapse is pre­cise­ly what this leg­is­la­tion is aim­ing to mit­i­gate. In its essence, DORA aims to ensure that firms can cope with cyber­at­tacks and oper­a­tional dis­rup­tions by imple­ment­ing gov­er­nance, cyber­se­cu­ri­ty, and ICT risk man­age­ment and inci­dent-report­ing measures.

More legislation on the way

DORA and MiCA are not the only pieces of leg­is­la­tion that are com­ing on line. We have the Dig­i­tal Finan­cial Assets (DFA) con­sul­ta­tion papers being draft­ed inde­pen­dent­ly by the U.S. and the U.K., the Dig­i­tal Mar­kets Act (DMA), which is more focused on inter­net busi­ness­es, the Dig­i­tal Gov­er­nance Act (DGA), which cre­ates a frame­work for increased data avail­abil­i­ty and re-use with­in the Euro­pean Union, and AI Reg, the reg­u­la­to­ry pro­pos­al that aims to pro­vide devel­op­ers, deploy­ers and users with clear require­ments and oblig­a­tions regard­ing uses of arti­fi­cial intel­li­gence. All of these reg­u­la­to­ry ini­tia­tives have fun­da­men­tal game-chang­ing capa­bil­i­ties, and the aim is to have them solid­ly in place by 2030. This date, how­ev­er, feels a lit­tle pes­simistic, as the rapid rate of inno­va­tion is like­ly to ren­der this dead­line moot. 

As with all reg­u­la­to­ry process­es, DORA has gone through many drafts, and its recent approval has been wel­comed by all play­ers in the indus­try. Cyberthreats have been grow­ing with alarm­ing inten­si­ty over the last decade, and the impact this has on glob­al economies, as well as orga­ni­za­tions and indi­vid­u­als, is mas­sive. While Gart­ner pre­dicts orga­ni­za­tions will spend near­ly US$6.69 bil­lion on cloud secu­ri­ty in 2023, ris­ing almost 27% year-over-year, the Web3 indus­try is still not doing its part in tack­ling the poten­tial US$10 tril­lion cyber-dam­age prob­lem that we could face by 2025. While DORA is a great foun­da­tion, the pro­posed reg­u­la­tions are some­what ambigu­ous and by no means com­plete. For exam­ple, it does not man­date how much com­pa­nies should aim to spend on cyber­se­cu­ri­ty, and there is a lack of clar­i­ty on what meth­ods should be employed in order to achieve a high­er capa­bil­i­ty of threat mitigation.

Plugging the holes

The biggest issues requir­ing atten­tion include the pro­lif­er­a­tion of remote devices, the inter­net of things (IoT), remote work­ing, social net­works, and cloud servers — all of which can act as sin­gle points of fail­ure with­in a secu­ri­ty sys­tem. In the past, com­pa­nies could ringfence their cyber­se­cu­ri­ty with­in the con­fines of the orga­ni­za­tion, but these bor­ders no longer exist, and firms are vul­ner­a­ble to attack from lit­er­al­ly thou­sands of access points. 

DORA will now hold com­pa­nies account­able for breach­es caused by weak secu­ri­ty, so there will be a big scram­ble to mit­i­gate these threats. How­ev­er, if orga­ni­za­tions are going to beat cyber­crim­i­nals at their own game, using old tech­nol­o­gy will sim­ply not work. Com­pa­nies will need to change the game, and this means an entire­ly dif­fer­ent approach to technology. 

Unfor­tu­nate­ly, DORA doesn’t go far enough to incen­tivize com­pa­nies to adopt new lead­ing-edge tech­nol­o­gy. The leg­is­la­tion is firm­ly seat­ed in tra­di­tion­al and cen­tral­ized cyber secu­ri­ty solu­tions, which have been proven to be inef­fec­tive in pro­tect­ing Web2 and Web3 ecosys­tems. The cen­tral argu­ment against cur­rent cyber­se­cu­ri­ty solu­tions is that not only are they woe­ful­ly out­dat­ed, with some tech­nol­o­gy being 40 years old, tra­di­tion­al cyber­se­cu­ri­ty solu­tions have not been designed to inte­grate with Web3. In essence, com­pa­nies are using cen­tral­ized tech­nol­o­gy to mit­i­gate the risk in decen­tral­ized markets.

Decentralized cybersecurity mesh

Cyber­se­cu­ri­ty mesh” — a holis­tic approach to improv­ing cyber­se­cu­ri­ty for orga­ni­za­tions — has recent­ly been cham­pi­oned by Gart­ner as a recent trend. How­ev­er, we need to flip the nar­ra­tive to decen­tral­ized cyber secu­ri­ty mesh, which pro­tects devices in real time from cyber threats while enforc­ing cyber secu­ri­ty stan­dards across net­works. Decen­tral­ized cyber­se­cu­ri­ty tech com­pa­nies should focus on “fit for pur­pose” cyber­se­cu­ri­ty solu­tions that facil­i­tate more robust cyber­crime pre­ven­tion tac­tics. They could cre­ate real-time, zero-knowl­edge proofs of the cyber sta­tus of all devices, net­works and envi­ron­ments, by uti­liz­ing Swarm AI and blockchain tech­nol­o­gy. The ben­e­fit of this approach is that they would be able to prove to audi­tors and busi­ness­es the state of secu­ri­ty at a spe­cif­ic point in time. The solu­tion could also be use­ful for courts to help them ana­lyze foren­sics data. 

The biggest threat — people

There is a risk that the reg­u­la­tion will cre­ate a tick-box cul­ture among com­pa­nies that claim that they are com­pli­ant but fail to address the biggest issue — the lack of inte­gra­tion of a cyber­se­cu­ri­ty mind­set amongst all its employ­ees. Leav­ing it to the IT team to defend a company’s bor­ders means that the most sig­nif­i­cant point of fail­ure is over­looked. It is esti­mat­ed that over 90% of all secu­ri­ty breach­es come from indi­vid­u­als with­in an orga­ni­za­tion. So cyber­se­cu­ri­ty is not just about the tech­nol­o­gy, it is about arm­ing indi­vid­u­als with the mind­set and tools to act as part of the defense.

Enforcement needs resources

When rules are put in place they need to be enforced. In order to do this you need a large net­work of skilled indi­vid­u­als who can mon­i­tor and eval­u­ate non-com­pli­ant enti­ties, and they must have the sup­port­ing infra­struc­ture to be able to enforce the rules. The sheer vol­ume of orga­ni­za­tions that are affect­ed by this leg­is­la­tion, cou­pled with com­plex glob­al net­works that often under­pin Web2 and Web3 orga­ni­za­tions, will pose a human resource chal­lenge for the regulator.

The only ten­able solu­tion is a blend of self-reg­u­la­tion that uses automa­tion, blockchain and exter­nal reg­u­la­tions, where all stake­hold­ers par­tic­i­pate in mon­i­tor­ing the indus­try. This is not an unwork­able sit­u­a­tion because every par­ty will ben­e­fit from a safer cyber-threat-free landscape.

Increasing trust

Anoth­er key issue that needs to be addressed in the cyber­se­cu­ri­ty ecosys­tem is to ensure that the data being fed into sys­tems from mul­ti­ple sources is known and trust­ed. Cur­rent­ly, process­es that gen­er­ate data are not trust­ed. Decen­tral­ized cyber­se­cu­ri­ty lever­ages these sin­gle points of fail­ure by turn­ing them into nodes for dis­trib­uted val­i­da­tion. This then cre­ates expo­nen­tial resilience for dig­i­tal oper­a­tions, com­pared to local or inter­nal val­i­da­tions — i.e., no sin­gle bad actor can tam­per with the set­tings or code. This erad­i­cates the vul­ner­a­bil­i­ty in a network. 

This is where a blockchain-based, decen­tral­ized cyber­se­cu­ri­ty mesh real­ly comes into its own because it allows us to for the first time trust the val­i­da­tion process itself. It also uni­fies every device at the cyber­se­cu­ri­ty and gov­er­nance lev­el. It negates the sin­gle point of fail­ure weak­ness­es that are inher­ent in cen­tral­ized cyber­se­cu­ri­ty sys­tems today. In addi­tion, it cre­ates an intel­li­gent trust net­work by using Swarm AI, that detects behav­ioral changes and vul­ner­a­bil­i­ties in near real-time, poten­tial­ly before hack­ers can infect and take over the entire network.

This is what DORA is all about. It’s all about main­tain­ing truth and trust and negat­ing sin­gle points of fail­ure with­in untrust­ed envi­ron­ments. Until we use decen­tral­ized cyber­se­cu­ri­ty to address Web3 vul­ner­a­bil­i­ties, we will con­tin­ue to see the same high lev­els of cyber­crime cur­rent­ly plagu­ing blockchain and dis­cour­ag­ing cryp­tocur­ren­cy mass adoption.

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published.