Compliance might already seem like a heavy burden, and it is, but it’s going to get heavier. Blame technology.
Technology is making the world more complex and dangerous, and, like or not, it’s forcing governments to become more dirigiste.
Strange word and unfamiliar to most of us who didn’t major in economics. It’s borrowed from French, and in American English is pronounced deer•re•jist. It’s an adjective describing governments that assert central control. (A dirigible is a balloon you can steer or control.)
Central control sounds negative to many American ears, antithetical to federalism and market economics. Still, dirigisme (the noun form of the word, pronounced der•re•jism ) is accelerating here and throughout the West, so it’s accurate to describe the direction of our government as dirigiste.
It’s always expedient for rulers to gain more control. But in this case, it’s more about responding to rising risk, specifically risk created by technology.
***
How did dirigisme happen here? In two ways: gradually and all at once, as Ernest Hemingway might have said.
During the past 20 years, the global regulatory burden increased about 775 percent. That was due mainly to how governments responded to risks created by an increase in the global money supply. The interventions were aimed at fiscal risks.
Many of the newest laws and regulations have a different target: risk created by the rise of technology. And the top concern is national security.
We’ve passed the tipping point. “Governments seem to be everywhere all at once,” the Economist said last month.
In March last year, buried in the nearly 1,100 page Congressional appropriations bill, was the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). It requires the federal Cybersecurity and Infrastructure Security Agency (CISA) “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.”
The purpose of the reporting is to identify and help victims of cyber attacks, reveal trends, and promote information-sharing to warn other potential victims.
CIRCIA regulates “covered entities” — public and private organizations in sectors considered to be “critical infrastructure.” The sectors include financial services, healthcare, oil and gas, energy, transportation, water, and emergency services, among others designated from time-to-time by presidential order.
In addition, in July the SEC finalized rules requiring all public companies to report material cybersecurity incidents. Issuers must also describe how they assess, identify, and manage material risks from cybersecurity threats and disclose governance practices and board oversight in place “to manage, monitor, detect, mitigate, and remediate cybersecurity incidents.”
These initial legislative and regulatory steps are likely to be adjusted from time to time. It isn’t clear yet how much cyber disclosure the SEC or any agency should require or allow. Too much could give away vital information about in-place defenses and weaknesses. Too little could mask existing vulnerabilities that could undermine stakeholder interests and the nation’s wellbeing.
***
Perhaps the biggest complexity lawmakers face is this: Innovative technology can come from anywhere.
The United States is just one source among many, and breakthroughs often result from international collaborations involving both public and private sector entities in multiple countries. Rules to restrict collaborations or sources based on geography would saddle users with inferior technology and put us all at greater cyber risk.
John Christianson, a military fellow at the Center for Strategic and International Studies in Washington, told the New York Times, “The world has changed, and the pace of technology is much faster than it used to be. We can’t just rely on Americans always having the best stuff.”
The Times said the question becomes how the federal government can “balance protectionism and cooperation in a transformative field where talent is scarce and less concentrated in the United States, making interdependence inevitable and increasingly necessary.”
Export control models based on geography appear obsolete when applied to technology. What will replace them?
Expect a more complex, targeted, and dynamic web of controls over the flow of cyber imports and exports.
(Last week, President Biden issued an executive order targeting China primarily that requires active investment funds to seek approval from the Treasury Department for investments into “countries of concern” for semiconductors and micro-electronics, quantum information technologies, and certain artificial intelligence systems.)
***
Governments here and abroad are responding to the new risks in the way they always do — with more laws and regulations. That in turn is increasing the compliance burden for companies across the board.
How much more compliance is still to come? No one knows yet.
What we do know is that governments, ours included, are becoming more dirigiste.
It’s the new normal.
Comments are closed for this article!