The rise of generative models, particularly large language models (LLMs), has led to increased calls for security regulation, especially in light of the growing popularity of ChatGPT. However, it’s important to consider the potential drawbacks of excessive regulation. While security regulation can have its merits, it doesn’t always guarantee enhanced security. There have been instances in the past where well-intentioned security regulations had unintended consequences. It is crucial to examine these cases as we contemplate the need for further regulation in the field of technology.
One example of security-related regulation that initially seemed like a good idea but fell short is the Payment Card Industry Data Security Standard (PCI-DSS). This standard, developed by the credit card industry, applies to entities that handle customer card information. The 2006 version of the standard required a minimum password length of seven characters. At the time, this may have seemed sufficient, but advancements in hardware have made it possible to crack such passwords rapidly. In response, the standard was updated in 2022, mandating a minimum password length of 12 characters. However, even this longer password length will likely become susceptible to cracking in the future. This demonstrates that specific security regulations can quickly become outdated.
Conversely, regulations that are too general can also have adverse effects on security. The European General Data Protection Regulation (GDPR) serves as a case in point. GDPR aims to safeguard personal information, defining personal data as any information related to an identified or identifiable individual. This broad definition has created challenges for organizations that rely on collecting logs to protect their systems. Logs are essential for detecting both benign and malicious activities on a network. However, if these logs contain personal information, organizations face the risk of significant fines for non-compliance. Accordingly, security departments often find themselves at odds with legal departments when determining which logs they can retain for security purposes. The conflict between security and compliance is often resolved conservatively, prioritizing compliance over security measures.
It’s important to recognize that regulatory decisions are made through a complex and often compromised process involving multiple stakeholders, legislators, and interest groups. Consequently, the final regulation may contain loopholes or gaps that attackers can exploit. This compromises the effectiveness of security regulations, as compliance does not equate to foolproof security. This contradiction undermines the very purpose of security regulations, leaving organizations vulnerable to breaches despite being compliant.
A research paper conducted several years ago provides another compelling example of the unintended consequences of regulation. The paper analyzed the effects of regulations mandating car safety seats for children. As US states progressively increased the age at which children were required to use these seats, the researchers found that it significantly raised the cost of having a third child due to limited space in standard-size cars. The result was a decline in birth rates, with an estimated 145,000 fewer births since 1980. While the regulations improved child safety, they had the unexpected consequence of decreasing birth rates. This example illustrates how well-intentioned regulations can have unintended negative consequences.
Therefore, as we contemplate imposing more security regulations on organizations, it is essential to question whether we are genuinely enhancing security or simply burdening them with more regulation. Compliance does not guarantee foolproof security, and there is a need to strike a balance between regulation and the intended outcome of improved security. It is crucial to thoroughly evaluate the potential benefits and drawbacks of any proposed regulations to ensure that they ultimately achieve the desired goal of enhancing security without unintended negative consequences.