Columbia University Morningside Campus

Cyber Regulation Lab

Creating smart cyber regulations

The Columbia SIPA Cyber Regulation Lab is producing original research, proposing fresh ideas, and convening global experts to examine and help create the future of smart cyber regulation. The lab was created to help implement and measure the success of the 2023 U.S. National Cybersecurity Strategy, under 'ProjectNCS'.

Background

From NIS2 in the European Union to a patchwork of state and Federal regulations in the United States, governments are increasingly agreeing with the White House that “Today’s marketplace insufficiently rewards” cybersecurity and that “Regulation can level the playing field.” This governmental push must be matched by work by academia, think tanks, and others to ensure that this regulation is well crafted and measured to ensure it is truly improving cybersecurity, at scale.

The Cyber Regulation Lab, at Columbia University's School of International and Public Affairs, is producing original research, proposing fresh ideas, and convening global experts to examine and help create the future of smart cyber regulation. This effort is part of our ProjectNCS to help implement and measure success of the U.S. National Cybersecurity Strategy and an extension of our years-long partnership with the Federal Reserve Bank of New York whom we've worked on issues pertaining to cyber risk to financial stability.

Initial Research Questions

Over 2024 and into 2025, the Cyber Regulation Lab will tackle several key research questions. Answers will be sought through independent research, through partnership with the SIPA New York Cyber Task Force, as well as through with input from key regulators and policymakers. 

  • How can cyber regulations be better understood using frameworks from regulations in other areas?
  • When should regulators prioritize reciprocity, convergence, or harmonization and how can these best be achieved?
  • How do the differing regulatory authorities inhibit the reciprocity, convergence, or harmonization of cybersecurity regulations?
  • What market failures exist in which parts of the U.S. economy, which would in turn require cybersecurity regulations?
  • What tools are in policymaker’s toolkits to address each particular kind of market failure?
  • Is cyberspace becoming more secure over time and what role does regulation play in that improvement compared to other levers?

Research Output

New Innovations for Agility in Cyber Regulation and Compliance, 29 January 2026

  • Jason Healey writes for Lawfare on how AI, automation, and continuous testing could replace checklist cyber compliance with faster, cheaper, and more resilient regulation.

Countering Adversaries and How to Count It, 22 September 2025

  • Jason Healey writes for Ooda on how shifting cyber risk to adversaries requires not just disrupting attacks, but developing clear metrics to measure long-term impact and behavior changes.

Are Cyber Defenders Winning?, 14 July 2025

  • Jason Healey and Tarang Jain write for Lawfare on how the U.S. government's cybersecurity strategy aims to shift the advantage to defenders through improved strategies and defenses. They argue that meaningful progress requires clear, system-wide metrics to measure success across threat, vulnerability, and consequence. 

Drivers of Disharmony in U.S. Cyber Regulations, 18 December 2024

  • Jason Healey and Samuel Dab write for Lawfare on how researchers and governments must first understand the causes of disharmonization in cyber regulations before they can work together to achieve harmonization. 

What the White House Should Do Next for Cyber Regulation, 7 October 2024

  • Jason Healey writes for Dark Reading on how creating a new office of cyber-regulation strategy is the government's best oppotunity to improve the security and to protect Americans in an increasingly dangerous world. 

Measuring Policy Effectiveness of Cyber Defensibility and Deterrence, 10 September 2024

  • Jason Healey writes for Lawfare on how the United States needs better ways to understand success in cyberspace.

The National Cybersecurity Strategy: Breaking a 50-Year Losing Streak, 7 June 2024

  • Jason Healey writes for Lawfare on how the new White House strategy tackles long-standing cybersecurity problems head-on.

Twenty-Five Years of White House Cyber Policies, 2 June 2023

  • Jason Healey writes for Lawfare on how the new National Cybersecurity Strategy builds on a long consensus but differs in important and long-overdue ways.

The National Cybersecurity Strategy: Breaking a 50-Year Losing Streak, 7 June 2023

  • Jason Healey writes for Lawfare on how the new White House strategy tackles long-standing cybersecurity problems head-on.

Presentation at 2023 Cybersecurity Law and Policy Scholars Conference at Tufts University

Comments to ONCD on Cyber Regulatory Harmonization

  • The Office of the National Cyber Director released a Request for Information on 19 July 2023 on cybersecurity regulatory harmonization and regulatory reciprocity.
  • SIPA Cyber submitted its comments on 30 October 2023

 Which Cyber Regulations Fit Which Sectors?, 20 November 2023

  • Jason Healey writes for Lawfare about how the National Cybersecurity Strategy calls for new and harmonized cyber regulations. To succeed, there is a lot of homework left to do, starting with a better understanding of performance-based and other kinds of regulation.

Panel Discussion at Common Good Cyber Workshop in February 2024 in Washington D.C.

Research Staff

  • Jason Healey
  • Greg Rattray
  • Carina Kaplan (SIPA'25)
  • Christina McNeill (SIPA'25)
  • Samuel Dab (SIPA'25)
  • Tarang Jain (SIPA'25)

Former Student Staff:

  • Ji Yeon Kim (SIPA'24)