Building for the Speed of Light: A Cyber Governance Model That Might Actually Work
Part 4 of 5: From Nuclear Ambition to Cyber Reality
By now the pattern is clear: cyber regulation has spent the last fifteen years trying to replicate a nuclear model that required nuclear's specific properties—concentrated infrastructure, capital intensity, slow timescales, bounded risk, state actors—none of which apply to cyber.
The insurance model failed. International institutions like the UN and NATO have proven toothless on cyber norms. National regulations like GDPR and CCPA address privacy but not the core problem of cyberattacks. Bilateral agreements remain fragmented and incomplete.
So what would a cyber governance model actually look like if we stopped pretending cyber is like nuclear and started designing for what cyber actually is?
What Cyber Actually Is
Before proposing anything, we need to be clear about what makes cyber irreducibly different:
Speed: A nuclear safety breach takes years to develop and is catchable during construction and commissioning. A cyber attack executes in milliseconds and is often undetectable for months. This means reactive regulation is useless—you can't regulate something after it's already happened and you haven't noticed. Governance must be proactive, continuous, and anticipatory.
Invisibility: You can see a nuclear reactor. You can see a power line. You can see a network packet's destination, but not its contents or intent. Cyber defenses operate in domains where visibility is a constant struggle. Regulatory bodies cannot easily verify what's actually happening on protected systems.
Decentralization: Nuclear power required massive, centralized infrastructure controlled by large utilities. Cyber infrastructure is radically distributed—millions of networks, billions of devices, countless software systems with no central coordination. Governance mechanisms designed for centralized industries fail in distributed systems.
Non-state actors: Nuclear weapons are exclusively the domain of nation-states (or state-backed programs). Cyber attacks come from nation-states, criminal organizations, activist groups, lone actors, and combinations thereof. Governance models designed to manage state behavior don't constrain non-state actors.
Innovation velocity: Nuclear reactor design stabilized in the 1970s. The basic principles haven't changed in decades. Cyber threats, techniques, and defenses evolve on a weekly or even daily cycle. Regulation that takes years to negotiate and implement is obsolete before it's ratified.
Interdependence and cascades: Nuclear accidents affect localized geographic areas. Cyber attacks cascade across global infrastructure in unpredictable ways. Shutting down a hospital network affects hospitals. Attacking the software supply chain affects everyone using that software—millions of organizations with no direct relationship to the attacker or defender.
What Works in Cyber Today (And Why)
Before proposing a new model, look at what's actually working in cyber governance. It's not formal institutions—it's informal mechanisms that evolved to fill the institutional void.
Information sharing communities: Threat intelligence sharing groups, sector-specific ISACs (Information Sharing and Analysis Centers), industry consortia—these work despite having no enforcement authority because they solve a concrete problem: everyone wants to know what's attacking them and how to defend. The incentive is mutual, immediate, and visible. A person shares an indicator of compromise, others can detect attacks using that indicator, everyone benefits. No compliance verification needed.
Open source as de facto standardization: Instead of formal standards bodies setting specifications, the industry increasingly coordinates through open source projects. Organizations adopt tools and libraries not because they're mandated, but because they solve problems better than alternatives. Security best practices propagate through widely-used open source code rather than through regulatory directives. The incentive is adoption through merit, not compliance through mandate.
Collaborative threat response: When a major vulnerability is discovered (like Log4Shell or Heartbleed), thousands of organizations mobilize to patch it. This happens not through regulatory requirement, but because the threat is immediate and the solution is clear. Organizations compete intensely most of the time, but cooperate fiercely when facing a common threat.
Transparency through disclosure norms: Bug bounty programs, coordinated vulnerability disclosure, and the norm of public disclosure after a patch has been released—these create a continuous feedback loop where security researchers, companies, and attackers all participate in a complex dance of information revelation. It's messy and imperfect, but it works better than secrecy.
Incident response communities: When major breaches occur, there's rapid mobilization of experts, shared forensics, and fast communication of lessons learned. The 2013 Target breach, the 2020 SolarWinds supply chain attack, the 2021 Colonial Pipeline ransomware incident—each prompted rapid information sharing and defensive mobilization across the industry.
Insurance as reputational signal: Rather than insurance enforcing compliance, it increasingly serves as a market signal. Organizations that carry cyber insurance are signaling they've submitted to some level of underwriting scrutiny. Customers prefer vendors with insurance. Insurance companies, knowing they'll pay out for incidents, have incentive to publicize best practices. Insurance doesn't prevent breaches, but it creates a reputational signal that helps buyers distinguish between more and less credible security providers.
What all of these have in common: they solve immediate, concrete problems. They don't require central authority. They work through transparent incentives and visible feedback. They adapt faster than formal processes. They're voluntary but practically mandatory (if you don't participate, you're at competitive disadvantage). And they operate at the speed of the cyber domain, not the speed of diplomatic negotiation.
The Ambidextrous Model for Cyber
The nuclear regime eventually settled on what organizational theorists call an "ambidextrous framework"—two entities working in tension, one focused on exploitation (enforcing existing standards and procedures), the other on exploration (innovating new capabilities and practices).
In nuclear, this manifested as:
- NRC (exploitation): Enforces compliance with established safety regulations
- INPO/WANO (exploration): Drives continuous improvement and innovation in safety practices
- OECD Nuclear Energy Agency (exploration): Focuses on research and development
The tension between them was productive. The NRC prevented bad practices from spreading. INPO/WANO pushed best practices forward. The system wasn't perfectly efficient, but it was resilient because it balanced stability (through NRC) with innovation (through the others).
Cyber needs an analogous model, but adapted to cyber's actual properties:
Layer 1: Standards and Baselines (Exploitation)
- Organizations like NIST, ISO, and CIS provide security frameworks and controls
- But here's the key difference from nuclear: these standards should be framed as minimums, not aspirations. NIST Cybersecurity Framework describes controls. The minimum expectation is that organizations adopt controls proportional to their risk and resources.
- For critical infrastructure, governments specify binding standards. For everything else, standards provide guidance but aren't mandatory. This prevents the "one-size-fits-all" trap that nuclear regulation fell into.
- Compliance is verified through self-attestation and periodic third-party audit—not perfect, but acknowledgment that perfect verification is impossible anyway.
Layer 2: Continuous Threat Intelligence and Adaptation (Exploration)
- Information sharing communities are formalized and funded. Governments and large enterprises participate. Sector-specific ISACs are expanded and integrated.
- Intelligence is shared rapidly—hours, not weeks or months—so that defensive measures can propagate across the ecosystem before attacks scale.
- The role of government here is to fund and coordinate, not to mandate. Communities self-organize around shared threat interests.
- Attribution and causal analysis are shared transparently to accelerate collective learning. This breaks the normal security norm of information hoarding.
Layer 3: Liability and Insurance (Risk Management)
- Abandon the idea that insurance companies can verify compliance and prevent breaches. Accept that insurance is a financial instrument, not a regulatory mechanism.
- Instead, frame liability differently: organizations are responsible for breaches resulting from negligent security practices (failure to patch known vulnerabilities, disabling firewalls, ignoring threat intelligence). They're not liable for zero-day exploits or sophisticated nation-state attacks.
- This creates incentive for the minimum: patching, basic configuration, listening to threat intelligence. It doesn't incentivize perfection, which is unachievable anyway.
- For critical infrastructure, government liability backstops (like Price-Anderson) become more defensible because the category is smaller and the risk model is more comprehensible.
Layer 4: Innovation and Experimentation (Exploration)
- Fund and support research into defensive cyber capabilities with the same intensity that offense is funded.
- Create regulatory safe spaces where organizations can experiment with new defensive approaches without fear of liability if the experiments fail.
- Open source is encouraged and funded as a mechanism for distributing defensive innovation. Security tools should be available to small organizations and developing countries, not just to those who can afford proprietary solutions.
- Universities and research institutions are explicitly included as governance participants, not excluded as they are in formal treaty negotiations.
The Role of Geopolitics (It Never Goes Away)
Here's the truth that nuclear regulation ultimately had to confront and cyber governance still refuses to acknowledge: you cannot separate regulation from geopolitics.
The IAEA's ineffectiveness on nonproliferation was often blamed on institutional design flaws. The real reason it struggled was that preventing proliferation contradicts national sovereignty. Nations see nuclear weapons as power. No amount of institutional smoothing will convince a nation that giving up nuclear weapons capability is in its interest.
Similarly, cyber governance will never be neutral or purely technical. Nation-states see cyber capabilities as strategic advantages. Regulations that constrain offensive capabilities will be seen as threatening by major powers. Transparency requirements that expose vulnerabilities will be resisted by everyone developing offensive tools.
This means cyber governance needs to acknowledge geopolitical realities rather than pretend they don't exist:
Accept that offense and defense will remain asymmetrical. Offensive cyber capabilities will continue to be developed by nation-states and hidden from public scrutiny. Defensive governance cannot assume symmetry or perfect compliance. Instead, it should focus on making defense resilient enough to withstand attacks from actors that are more sophisticated and better resourced than defenders.
Create separate frameworks for different threat types. Criminal cybercrime (ransomware, fraud, identity theft) can be addressed through law enforcement, payment controls, and criminal liability. Nation-state attacks require different approaches—deterrence through attribution and consequence, resilience through redundancy, and intelligence sharing about tactics and techniques.
Normalize conflict without escalation. Cyber attacks between nations happen constantly. Treating every attack as an act of war is both unrealistic and dangerous. Instead, governance should establish norms about which targets are off-limits (hospitals, schools, critical civilian infrastructure) while accepting that industrial espionage, political/military networks, and weapons systems are fair game.
Build resilience instead of prevention. If you can't prevent attacks (and you can't), the goal becomes recovering from them quickly. This means governance focused on business continuity, backup systems, rapid detection, containment protocols, and rapid restoration. It's less glamorous than "preventing breaches," but it's more honest about what's actually achievable.
The Role of Great Powers (Especially the Ones Ahead)
Here's an uncomfortable truth: whoever is currently dominant in cyber warfare will resist transparency and information sharing that would improve global cyber defense, because opacity is their advantage.
The United States and its allies maintain cyber dominance through a combination of:
- Superior technical talent (concentrated in Silicon Valley, military R&D, national labs)
- More sophisticated offensive and defensive capabilities
- Better intelligence on threats and vulnerabilities
- Ability to project power globally through cyber operations
Any governance framework that genuinely improved global cyber defense would reduce this advantage. More nations would be able to defend against attacks. Offensive capabilities would be constrained. Intelligence would be shared more broadly, benefiting adversaries as well as allies.
This is exactly what happened with nuclear technology. The US used Atoms for Peace to maintain dominance despite losing its monopoly, but the program genuinely did spread nuclear technology and expertise globally. The US got some political gains and commercial benefits, but it also created a world with more nuclear powers.
Cyber governance faces the same dynamic. The nations currently ahead have incentive to maintain opacity. The nations falling behind have incentive to push for transparency. Any governance regime that actually worked would likely reduce dominance for leading powers.
This means cyber governance, like nuclear governance, will be a continuous negotiation about how much of an advantage leading powers are willing to sacrifice for global stability.
The realistic model is probably:
- Public layer: Formal agreements on norms, liability, disclosure. These set the floor and create political pressure.
- Private layer: Intelligence sharing between allies about attacks, vulnerabilities, and attribution. This remains classified and is shared selectively.
- Research layer: Open source tools and shared research create defensive capabilities available to everyone, but cutting-edge capabilities remain proprietary.
- Deterrence layer: Consequences for major attacks (sanctions, indictments, counter-attacks) remain in the shadows, negotiated diplomatically rather than through formal law.
It's messier and less transparent than ideal. But it's probably more realistic than trying to create a unified global cyber governance regime that constrains everyone equally.
What This Actually Looks Like in Practice
Imagine a concrete model:
NIST and ISO maintain standards frameworks (exploitation layer), but these are explicitly framed as baselines, not comprehensive requirements. Organizations adopt controls proportional to their risk and resources. Compliance is self-reported annually with spot-check third-party audits.
Threat intelligence sharing becomes formalized and government-funded (exploration layer). ISACs operate with classified and unclassified channels. Critical infrastructure operators share threat indicators continuously. A major vulnerability or active attack prompts rapid coordination across the entire ecosystem.
Liability becomes specific and achievable (risk management layer). Organizations are liable for breaches resulting from:
- Failure to patch known vulnerabilities within 90 days
- Failure to implement basic authentication and encryption
- Failure to monitor and respond to threat intelligence They are not liable for zero-days or sophisticated attacks they couldn't reasonably detect.
Cyber insurance is reframed (risk management layer). It doesn't prevent breaches; it helps organizations recover financially from breaches within their liability window. Insurance premiums signal risk level more than they enforce compliance.
Open source security tools are government-funded (innovation layer). Organizations of all sizes can access enterprise-grade defensive tools. Critical infrastructure gets additional government support for implementation.
Attribution and consequence remain geopolitical (realism layer). Major attacks are attributed through classified intelligence. Consequences are negotiated through diplomatic and intelligence channels. Public attribution happens selectively for political effect.
Bilateral agreements between major powers establish red lines for what's off-limits (hospitals, schools, power grids) while accepting that espionage and military networks are contested. These agreements are continuously renegotiated as capabilities and threat environments change.
The Institutional Problem That Can't Be Solved
Here's the uncomfortable final point: cyber governance probably cannot be effectively centralized because cyber infrastructure is fundamentally decentralized.
Nuclear governance worked partly because nuclear infrastructure is concentrated—a few hundred reactors operated by large utilities in a small number of countries. Creating institutions that governed this concentrated infrastructure was feasible.
Cyber infrastructure includes millions of networks, billions of devices, countless software systems, and an ecosystem of hundreds of thousands of organizations. Creating a single institutional framework to govern this would be either toothless (ignored by everyone) or tyrannical (controlling the internet in unacceptable ways).
Instead, cyber governance probably needs to be:
- Layered: Different rules and mechanisms for different risk categories (critical infrastructure vs. private enterprise vs. consumers)
- Federated: Regional and sectoral governance structures that coordinate loosely rather than a single global framework
- Emergent: Norms that develop through practice and shared interest rather than through negotiation and formal adoption
- Adaptive: Continuously evolving as threats and technologies change, not locked into multi-year renegotiation cycles
This is messier than a formal treaty regime. It's less intellectually satisfying than IAEA-style institutions. But it's probably more realistic for a domain that changes weekly and infrastructure that's globally distributed.
The Transition Problem
The hardest part of moving from the nuclear model to this alternative model isn't the conceptual argument—it's the path-dependency problem. Cyber institutions already exist. Organizations have already invested in compliance frameworks based on the old model. Regulators have already written rules based on NIST and ISO standards.
Shifting to a more honest, decentralized, innovation-focused model requires abandoning sunk investments and admitting that the current framework isn't working.
This doesn't usually happen until after a major failure.
For nuclear, it took Three Mile Island to force a shift from the NRC-only model to the INPO + NRC dual model. For cyber, the equivalent failure probably hasn't happened yet—or if it has, it wasn't recognized as such.
The SolarWinds supply chain attack showed that sophisticated adversaries can compromise defensive tools themselves. The Colonial Pipeline ransomware incident showed that even critical infrastructure can be completely unprepared. The healthcare ransomware waves showed that even life-or-death systems aren't secure. But none of these prompted a fundamental rethinking of governance. Instead, regulators responded with more requirements, more standards, more compliance frameworks.
Each new incident leads to tighter regulation of the old model, not abandonment of the model itself.
This will continue until someone can make a clear, undeniable argument that the current model is fundamentally broken and a different approach is necessary. That's harder in cyber than it was in nuclear, because cyber failures are diffuse and often invisible. A nuclear accident kills people visibly. A cyber attack might be detected months after it occurs, and the consequences might be spread across hundreds of organizations in ways nobody can trace back to the original attack.
So Part 5 will address the final question: What does it take to make a model like this actually stick?
Member discussion