Pandemic-related Government Compliance Initiatives: 7/17/20

This webinar built upon the previous webinar’s topic of maintaining business continuity, specifically in the current pandemic environment that includes complying with government cybersecurity initiatives. We explored pandemic-related government compliance initiatives from two broad perspectives: complex aggregates and compliance challenges; and a way to think about “blind spots” regarding compliance. 

The presentation began with aggregates that form and present challenges, opportunities and threats. Aggregates are dynamic mixtures of groups linked via common interests and experiences. When we add propellent to that mixture, such as grievances and injustice, the network can be suddenly ignited. Igniters such as unemployment, the covid-19 outbreak, and the killing of George Floyd can spark the formation of new aggregates that take on local relevance on a global scale. The current pandemic is a dynamic aggregate with which we have to deal. There are others, too.

We used supply chain as an example of deliberately constructed aggregates. We contrasted a supply chain based on rules-based liberal economic competition with official-China’s supply chain warfare. The comparison went as follows:

  • Development: low cost products exploit forced labor, the purposes of which are social as well as economic; massive state-sponsored theft and R&D increases leverage science and technology to achieve superpower status
  • Marketing: a massive mal-, mis-, and dis-information campaign portrays China as a benevolent model of global cooperation
  • Procurement: state-owned enterprises and Party-controlled private corporations acquire assets aided by discriminatory practices and constraints on foreign ownership/licensing
  • Fulfillment: illegal inventory comprising most of the world’s counterfeit/pirated goods and US-seized counterfeit goods
  • Service: Party-monitored internet + personalized app payment (Alipay, WeChat Pay) shape info-captured customers’ loyalty as service, and looming Central Bank Digital Currency integration

This led to the question, how can we compete against such warfare? Our argument was that meeting government compliance requirements is not enough. We have to go further. How?

Some sectors are already doing well in this environment: cloud security firms; food delivery; aerospace and defense; and end-to-end security and network solutions. Cisco, for instance, has a program for 15 of the 17 domains of the impending Cybersecurity Maturity Model Certification.

Overall, however, compliance competes for attention behind other priorities: covid and getting remote working working; cloud adoption that trades off user experience with security; artificial intelligence and machine learning for threat detection now; the need to recruit develop and retain cyber skills; and phishing (it’s too easy). For some companies, compliance may not seem to be worth the expense, until fines go up or threats take more of their earnings.

Next, we reviewed some examples of initiatives in the compliance business:

  • Environmental Protection Agency’s discretion policy on enforcement to due covid-caused worker shortages
  • Health Insurance Portability and Accountability Act (HIPAA) requirements being tightened as attackers target health care providers
  • Collaborative standards of the Payment Card Industry Data Security Standards Council
  • National Institute of Standards and Technology requirements for remote operations

 These efforts are about mitigating threats with great defense rather than hunting threats. This point led to the question, how can we identify our “blind spots” that make us more susceptible to either non-compliance with government/private sector standards or attack? 

We gave two examples. 

First, we showed political – legal checklist from Covington provided questions that any business can ask of itself. 

Second, we showed a 4×4 matrix called a “Johari Window” through which a company could look to identify what it knows and does not know about itself (programs, connections, funding, decisions and value), and what it knows and does not know about others (competitors, threats, aggregates.)

The summary of the presentation related the importance of identifying and anticipating threat aggregates, argued that Western-style supply chain competition is facing a different aggregate of Chinese supply chain warfare, noted how we are reacting to this threat with government and industry compliance initiatives, and advocated the use of “blind spot analysis” to help with those challenges.

The discussion that ensued raised thought-provoking questions, developed insights, and offered potential solutions. A few of these are:

  • “Mission spillage” in the health industry, in which expanding covid-19 compliance standards can impinge upon individual HIPAA compliance; therefore personally identifiable information and personal health information need to be specified
  • The complex challenges facing broad-based companies that need to meet federal, state, city, commerce &  industry compliance standards and certifications; therefore we need an integrated picture of what needs to be done
  • There’s a need to identify and analyze “sensitive variables” that cause aggregates to form; what are creating the conditions in which propellants emerge and are ignited, and how do those aggregates interact (collide or conjoin?)
  • We need zero trust mechanisms to defend and mitigate such complex threats
  • There are a variety of tools with which to identify where the jobs are in the compliance business

At the end of the hour, several participants expressed an interest in the next webinar being about specific local tools and solutions to these complex problems.