CYBERSECURITY RISK MANAGEMENT REQUIRES
INFRASTRUCTURE PROTECTION POLICY
CONFORMANCE
John W. Bagby *
abstract:
Infrastructure challenges continue to drive considerable public policy
debate. The nation’s economy relies very heavily on the combined
provision of only a few critical infrastructures. Management of risks
in these critical infrastructures is challenging because they are
interconnected, interdependent and cross-cutting - essential services to
the whole economy. Indeed, the “incapacity or destruction of such
systems and assets would have a debilitating impact on security,
national economic security, national public health or safety...”
Contrasts among the infrastructure protection security investments by
each sector and a systems analysis approach of their combined impact
provides insight into the cyber-security investment challenges for
cyber-infrastructure. Increasing vulnerability to cyber-attacks now
clearly presents a “cyber-security conundrum” defying simple or
straightforward resolution because of the strong, but persistently
opposing factions in the political economy. A path to understanding
how these contradictory influences coalesce informs a path towards
the standardization of cyber-security risk management techniques.
INTRODUCTION
Three critical infrastructure sectors are, individually, among the most
pervasively cross-cutting, impacting nearly all other sectors: (i) energy, (ii)
banking and finance and (iii) information technology (IT). These three
sectors are exposed to considerable threats from internal and external threats
as well as recurring operational difficulties. When threats are directed at any
combination of these three sectors, the situation should rise to the top of
infrastructure protection concerns. It is argued here that these three sectors
are among a very short list of “most key infrastructures,” particularly for the
economic well-being of the U.S. as well as for most industrialized nations.
When plotted across a continuum of systemic vulnerability, 1 these three
*
Professor of Information Sciences and Technology, the Pennsylvania State
University.
1
Schwarcz, Steven L., Systemic Risk. 97 GEORGETOWN L. J., 193 (2008); Technical
Capabilities Necessary for Systemic Risk Regulation: Summary of a Workshop, Robert F.
Engle & Scott T. Weidman, Rapporteurs; National Research Council (2010) at 5-6
accessible at:
2
CyberSecurity Infrastructure Policy Conformance
Jan.2015
infrastructures anchor the extremes and a mid-point: electric power lies at
the very well-managed extreme, banking and finance occupies a middleground, and cyber-infrastructure lies at the extreme exhibiting the most
systemic vulnerability. Cyber-infrastructure is therefore a key critical
infrastructure with cross-cutting characteristics derived from the
interdependency among critical infrastructures and frequently connected via
the cyber-infrastructure.
For nearly two decades, a public policy debate has raged over the
optimal method(s) likely to result in the most robust cyber-security
protection. There are several well-known failures in the market(s) for
security 2 that probably explain the considerable barriers to security
investment. 3 Central to this debate are coordination problems and the
private sector’s perceived incentives, arguably dominated by near-term
competitive self-interest that too often fails the national interest. Indeed,
very numerous and recent expert reports argue that the fragility of cyberinfrastructure demands immediate remediation because it portends dire and
systemic consequences. 4
https://download.nap.edu/login.php?record_id=12841&page=%2Fcatalog.php%3Frecord_i
d%3D12841; Bagby, John W., Too Big to Fail vs. Too Connected to Ignore: Managing
Systemic Risk in Dynamic Financial Networks (No.69) pp. 1-9, Aug.11, 2011, Academy of
Legal Studies in Business, New Orleans LA.
Systemic risk may be embodied as the potential societal impact that individuals or
groups of impose when they are experiencing material distress [including] the nature,
scope, size, scale, concentration, interconnectedness, or mix of activities, could pose a
threat to the stability of the United States. See also, Definitions of “Predominantly
Engaged In Financial Activities” and “Significant” Nonbank Financial Company And
Bank Holding Company, NPR, Fed. Res. Bd. Regulation Y; Docket No. R-1405, 76
Fed.Reg. 7731, 7732 (Feb.11, 2011) accessible at:
http://edocket.access.gpo.gov/2011/pdf/2011-2978.pdf
2
Tyler, Moore, Introducing the Economics of Cybersecurity: Principles and Policy
Options, PROCEEDINGS OF A WORKSHOP ON DETERRING CYBERATTACKS: INFORMING
STRATEGIES AND DEVELOPING OPTIONS FOR U.S. POLICY, 2010 Nat. Res. Council,
http://www.nap.edu/catalog/12997.html
3
See e.g., Anderson, Ross & Tyler Moore, The Economics of Information Security,
314 Sci. 610 (2006); but see Dourado, Eli & Jerry Brito, Is There a Market Failure In
Cybersecurity? MERCATUS ON POLICY, No.106 (Mar 06, 2012) accessible at:
http://mercatus.org/sites/default/files/Cybersecurity_DouradoBrito_MOP_Final.pdf
4
Information Security: Cyber Threats Facilitate Ability to Commit Economic
Espionage, GAO-12-876T, Jun 28, 2012 http://www.gao.gov/assets/600/592008.pdf;
Information Security: Better Implementation of Controls for Mobile Devices Should Be
Encouraged, GAO-12-757, Sep 18, 2012 http://www.gao.gov/assets/650/648519.pdf;
Medical Devices: FDA Should Expand Its Consideration of Information Security for
Certain Types of Devices, GAO-12-816, Aug 31, 2012
http://www.gao.gov/assets/650/647767.pdf; Information Security: Environmental
Protection Agency Needs to Resolve Weaknesses, GAO-12-696, Jul 19, 2012
Jan.2015
YOUR TITLE
3
A. The Challenge: Integrate Industrial Organization
Competitive capitalism ideals produce two pressures that intensify this
manifestation of near-term competitive self-interest in the private sector.
First, direct rivals in strongly competitive environments are generally
disincentivized from sharing information. Disclosure of failures might
permit competitors to avoid making similar mistakes or repeating bad
investments. 5 Opacity about failure encourages ignorant competitors to
“spin their wheels” raising opportunity costs of alternative experimentation.
Similarly, premature disclosure of successes shortens the interval in which
competitive advantage permits abnormal profits. Indeed, a common strategy
may be to signal misinformation precisely because it is so often counterproductive to direct competitors as well as usefulness in deterring potential
competitors from market entry. Second, in markets where public policy has
a stronger record of maintaining or encouraging competitiveness, the
antitrust laws also discourage information sharing. Coordination conducted
in secret so resembles harmful conspiracy that it is frequently labeled
collusion, of the “classic” type that arguably “ends in a conspiracy against
the public, or in some contrivance…” 6
http://www.gao.gov/assets/600/592755.pdf; Information Security: Weaknesses Continue
Amid New Federal Efforts to Implement Requirements, GAO-12-137, Oct 3, 2011
http://www.gao.gov/assets/590/585570.pdf; Cybersecurity: Challenges in Securing the
Electricity Grid, GAO-12-926T, Jul 17, 2012 http://www.gao.gov/assets/600/592508.pdf;
IT Supply Chain: Additional Efforts Needed by National Security-Related Agencies to
Address Risks, GAO-12-579T, Mar 27, 2012 http://www.gao.gov/assets/590/589617.pdf;
Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be
Done to Promote Its Use, GAO-12-92, Dec 9,
2011http://www.gao.gov/assets/590/587529.pdf; Information Security: Additional
Guidance Needed to Address Cloud Computing Concerns, GAO-12-130T, Oct 6, 2011
http://www.gao.gov/assets/590/585638.pdf
5
Indeed, trade secret law encourages secrecy about failure by granting remedies for
misappropriation, holding liable for breach of confidentiality those agents, fiduciaries or
employees who disclose “negative results,” that is, data about failed experiments or other
errors from trial and error. Also those individuals and suppliers with contractual duties of
confidentiality, also have such secrecy duties to conceal failure, such as when bound by
non-disclosure agreements (NDA).
6
Smith, Adam, THE WEALTH OF NATIONS, 1776 (W. Strahan & T. Cadell, London
U.K.) Bk. I, Ch. 10, ¶ 82 (arguing essentially that constitutionally protected liberty and
enforcement impracticality hinder government from prohibiting contacts among
competitors; however, also clearly cautions against mandating such dealings, and, by
implication, cautions against mandating communications and other information exchanges
among competitors:
“It is impossible indeed to prevent such meetings, by any law which either
could be executed, or would be consistent with liberty and justice. But though the
law cannot hinder people of the same trade from sometimes assembling together,
it ought to do nothing to facilitate such assemblies; much less to render them
4
CyberSecurity Infrastructure Policy Conformance
Jan.2015
Information sharing enables mutual self-interest in two ways that
increases various types of security for the participants engaged in
coordination of their activities. First, information sharing enhances the
economic success of the collaborators in their upstream and downstream
markets. Second, information sharing can contribute to the collective
security of the collaborators in securing the group against threats that target
other interests that only collaterally impact their markets. Only this latter
objective of information sharing has strong public policy support because it
so directly impacts systemic security, that is, the [national military]
“security, national economic security, national public health or safety.” This
distinction lies at the heart of the conundrum discussed throughout this
paper. Information sharing that enables anti-competitive collusion is
disfavored while information sharing that enhances societal interests are not
only acceptable, but are becoming a national imperative. 7
These coordination problems coalesce to produce a poorly aligned
cyber-security investment environment in critical infrastructures impacting
both national security and society’s economic well-being. This cybersecurity conundrum becomes “systemic” and centrally problematic for two
reasons. First, the private sector has a more profound role in critical
infrastructure protection than does government. The private sector owns,
operates and/or maintains most “civilian” critical infrastructures, an
estimated 85% of the total. 8 Indeed, even a majority of defense contractors
are publicly-traded, and private sector service providers for national security
are largely for-profit, privately-held corporations. Second, these operators
of critical infrastructure are pressing headlong into heavy reliance on the
public Internet for systems control, remote storage of essential records, and
externalized computational power. Therefore, a cyber-infrastructure
necessary.” Id.
A very considerable literature on the information exchange practices of trade
associations and standards setting bodies has developed under the antitrust laws. This case
law applies to trade associations when serving as clearing houses for information exchange.
Antitrust scrutiny by the Federal Trade Commission (FTC) and the U.S. Department of
Justice (DoJ) intensify when trade associations police their members to suppress disruptive
competitors. Essentially, information exchange enabling collusion that harms the public or
the competitive environment is disfavored while information exchange that raises product
or service quality, thereby benefiting the public, is not disfavored. See e.g., American
Column & Lumber Co. v. United States, 257 U.S. 377 (1921); Maple Flooring Mfrs Ass’n
v United States, 268 U.S. 563 (1925); United States v American Linseed Oil Co, 262 US
371 (1923); and In re Petroleum Prods Antitrust Litig, 906 F 2d 432 (9th Cir.1990).
8
White House, Office of Homeland Security, The National Strategy for Homeland
Security, Dept. of Homeland Security (2002) at 33 accessible at:
http://www.dhs.gov/xlibrary/assets/nat_strat_hls.pdf
7
Jan.2015
YOUR TITLE
5
protection conundrum is presented because critical infrastructure is largely
controlled by the private sector, since cyber-infrastructure will likely
continue its successful penetration as demonstrably cross-cutting to all
critical infrastructures, and optimal security investment remains elusive
because it suffers from various market failures.
B. The Cyber-Infrastructure Protection Conundrum
Attempts to overcome cyber-infrastructure security market failures
have repeatedly resulted in failed legislation or regulation, fierce opposition
to unilateral executive orders, weak cyber-security standards development
and standards conformity assessment, and ineffective “jawboning” by
government officials. Cyber-infrastructure protection naturally requires
collusion but this is frustrated when: (1) proprietary losses result as
competitors share vulnerability information, (2) revelations expose targets
to legal or regulatory liability for negligent maintenance of robust security
and (3) disclosure attracts additional hacker attention. 9 Information sharing
provides both details and opportunities useful to facilitate restraints of trade
resulting from the collusion.
Cyber-security investment incentives are arguably constrained as a
weakest-link insecurity game 10 in which underinvestment derived from
industry-wide irrationalization predominates over minimum cyber-security
investment. Furthermore, there arguably exists a “first-mover disadvantage”
that both reveals proprietary strengths/weaknesses while risking significant
free-riding. 11 Resolution arguably requires a level-playing field potentially
approached using various means. 12 Two methods are immediately
presented: private sector coordination through standardization and one or
more regulatory approaches that deploy federally-pervasive, minimumrequirement security regulations. 13 However, strong, industry-sponsored
9
Swire, Peter P., A Theory of Disclosure for Security and Competitive Reasons: Open
Source, Proprietary Software, and Government Systems, 42 HOUS. L. REV. 1333 (2006)
(arguing there are incentives for opacity driven by both competitive and security motives).
10
See generally, Grossklags, Jens & Benjamin Johnson Uncertainty in the weakestlink security game, PROCEEDINGS OF THE FIRST ICST INTERNATIONAL CONFERENCE ON
GAME THEORY FOR NETWORKS (GameNets’09) (2009 IEEE Press, Piscataway NJ) at 673682.
11
Gandal, Neil, An Introduction to Key Themes in the Economics of Cybersecurity, in
CYBER WARFARE AND CYBER TERRORISM (IGI Global, Hershey PA, 2008).
12
Kobayashi, Bruce H., An Economic Analysis of the Private and Social Costs of the
Provision of Cybersecurity and other Public Security Goods, 14 SUP. CT. ECON. REV. 261
(2006) (arguing chronic potential for overinvestment in physical security inapplicable to
information goods, therefore suggesting significant free riding).
13
Van Eeten, Michel & Bauer, Johannes M., Emerging Threats to Internet Security:
Incentives, Externalities and Policy Implications, 17 J. CONTINGENT.& CRISIS MGT. 221-
6
CyberSecurity Infrastructure Policy Conformance
Jan.2015
lobbying against a “level playing-field” from standardized regulation 14
continues to offset forces that might establish cyber-security as a public
good. 15
The major underlying conundrum remains the very different risk
methodologies used in private-sector risk management when compared to
national security threat reduction. In the private-sector, one or more
probability-magnitude methods are used that are generally data-based using
actuarial approaches. By contrast, national security risk assessments tolerate
much higher costs to erect more robust and wider safety margins. Private
sector risks are often insurable but national security risks are frequently
framed as tantamount to risking cataclysmic failure. The two forms of
analysis result in significantly different safety margins.
Cyber-infrastructure protection is typical among the protection of many
of the critical infrastructures, in that it stubbornly occupies the boundary
between the private-sector’s responsibilities and national security realms.
This duality will likely continue to confound resolution of the cyberinfrastructure policy problem because of the very different risk prediction
and remediation methods. Furthermore, with only a few exceptions (e.g.,
banking, maritime) the institutional control environment over most critical
infrastructures provides insufficient guidance because it remains
fragmented. 16
The policy debate surrounding cyber-infrastructure security has erected
a durable barrier to straightforward resolution. Participants in this policy
game include strong players with clear and frequently contradictory motives
that defy resolution despite threatened high costs of the failure. Cyberinfrastructure threat reduction first requires an assessment of the range of
risks, the sources of such risks and the efficacy of threat remediation. The
232 (Dec. 2009) http://ssrn.com/abstract=1508844
14
Pfleeger, Shari Lawrence; Daniela Golinelli; Robin Beckman; Sarah K. Cotton;
Robert H. Anderson; Anil Bamezai; Christopher R. Corey; Megan Zander-Cotugno; John
L. Adams; Roald Euller; Paul Steinberg; Rachel Rue; Martin C. Libicki; & Michael
Webber, Cybersecurity Economic Issues Corporate Approaches and Challenges to
Decisionmaking, RAND Institute Research Brief, (2008) (arguing standardization essential
to cyber-security progress) www.cyber.st.dhs.gov/docs/RAND_RB9365-1.pdf
15
Powell, Benjamin, Is Cybersecurity a Public Good? Evidence from the Financial
Services Industry, 1 J. L. ECON. & POL'Y. 497 (2005).
16
Bagby, John W., Evolving Institutional Structure and Public Policy Environment of
Critical Infrastructures, 9 SPEAKER’S J. PENN.P’LCY. 187-204 (Spring 2010) (arguing
critical infrastructure institutional structure remains highly fragmented undermining
immediate or efficient coordination to achieve resilience).
Jan.2015
YOUR TITLE
7
next sections explore: (1) how public policies are set to assess these risks in
the policy venues, (2) the major players of significance in those venues, and
(3) the implementation methods where public policy debate will likely
address these risk assessments. This paper guides the prediction of
outcomes of some likely combinations of these factors and provides an
assessment of the most obvious policy alternatives, including their attendant
risks.
C. Information Sharing Externalities
Adam Smith’s admonition against mandating competitor contact seems
like a relic of an idealistic, bygone era when public policy could afford the
luxury of atomized competition. Indeed, most nations have longstanding
public policies that grant monopolies, foreseeably result in oligopolies, or
encourage efficiencies from coordinated competitor activities. 17 Countless
regulatory programs, from anti-discrimination methods through externalities
controls (e.g., environmental, standardization product liability) and
extending to network industry efficiency (standardization to enable
interoperability in communications, or reduce duplication costs in
transportation and utilities) have selected policies that purposefully or
incidentally ignore Adam Smith’s admonition against intra-industry
coordination.
Should cyber-infrastructure become the next set of related industries
that abandon Adam Smith’s ideals? Those ideals eschew coordination as
tantamount to collusion in favor of interests in national security and
economic security. One clear path of the cyber-infrastructure security
debate would permit such collaboration with no clear concern for
attenuating collusion risks. However, it is not clear this result is inevitable.
Both ex ante safeguards and ex post remediation seem feasible with only
threshold industrial organization attention. Antitrust scrutiny could be
implemented in numerous venues and using various regulatory tools, each
with some successful experience. It is therefore, appropriate to examine
those tools with a creative view to adapting them to control externalities
likely arising with more active cyber-security coordination.
D. A Cast of Likely Players in Public Policy Formation
Acknowledgment of the sources of influence in the cyber-security
policy debate, that is, the likely players, is a basic perspective needed for
17
See generally, Lia, Jingquan, Riyaz Sikorab, Michael J. Shawa & Gek Woo Tanc, A
strategic analysis of inter organizational information sharing, 42 DEC.SUPPORT SYS. 251–
266 (Oct. 2006) (arguing from conceptual analytics and experimental results that nearcomplete information sharing among competitors enhances group performance).
8
CyberSecurity Infrastructure Policy Conformance
Jan.2015
successful policy analysis. While business strategists have focused in recent
decades on constituent analysis, this analysis of the public policy players
generally requires a broader viewpoint. For example, simplistic strategic
planning originally viewed government as monolithic and exogenous. In the
cyber-security policy debate, government is neither monolithic nor
exogenous. Instead, governments of various nations are important.
Government subdivisions (e.g., regulatory agencies) are numerous at all
levels: multi-national, national, multi-jurisdictional (e.g., PATH, the “tristate authority”), provincial/state and local/municipal. Furthermore, the
political ideology driving policy choices of at least the executive branch and
legislative branches of these governments is often determinative of their
instinctive regulatory or laissez-faire approaches. Political favoritism also
drives the grant of benefits to particular industries or particular companies.
Even the judiciary and regulatory agencies are frequently criticized for
yielding to political pressure. As to government as exogenous influence,
accurate analysis of few matters in human activity can sustain ignorance of
the mechanisms involved in government influence. The protection of
critical infrastructures may be the arch-type of private-public sector
responsibilities requiring collaboration. Therefore, few in either sector can
seriously argue the other is endogenous. That assumption, perhaps at one
time a necessary for reductionist simplicity, is inconsistent with the
development of serious solutions to systemic problems.
So if governments are among the relevant players in the cyber-security
policy debate, who else might be significant? It will be difficult to develop a
stable rank ordering. Indeed, any particular player’s influence varies widely
depending on their self-interest, their political or economic power and the
public appeal of their public policy influence (e.g., their arguments). Thus,
no universal ordinal is implied here. Nevertheless, the following key players
appear in this policy debate with sufficient frequency to deserve at least
honorable mention. Other classes of players may arise and recede in various
circumstances.
First, cyber-infrastructure intruders and defenders are the key technical
actors. Their choice of targets, methods or intensity may result from others’
influence. Their immediate motivation may be personal amusement,
accidental discovery, perceived target value, may result from “community
tips” or they may identify particular targets as “low hanging fruit.” Still, as
the major “technical agents” of cyber-attack and cyber-defense, their
participation is likely to remain ubiquitous. Related communities of
cyberspace libertarians, sometimes called “Internauts,” are likely influential
in both exercising intra-community discipline and Internauts may advise
Jan.2015
YOUR TITLE
9
policy makers on preserving Internet user rights (e.g., free expression,
privacy, liberty).
Second, targets are also ubiquitous, both high value and low value.
Military targets are the classic high value target for cyber-war and for some
aspects of cyber-conflict. Fortunately, the U.S. military resists the allure of
structural cost savings from high dependence on the public Internet. While
this increases the military’s costs of deploying networked telecommunications, the military’s isolation from much cyber attack may be
worth the much higher expense for their independent networks’ buildout.
By contrast, consider the vulnerabilities of the private sector. Most trade
secrets, intellectual properties (IP) and other non-public technologies are
developed in the private sector. Most transaction processing and the
electronic payment system are operated by the private sector (e.g., financial
services, banks). To make matters more vulnerable, many, if not most,
private sector participants have already and are now currently active in
migrating their systems to networked telecommunications. It is the
combination of this public Internet cost-benefit advantage, when intensified
by the private-sector’s dominance over 85% of all critical infrastructures,
that explains the large scope of cyber-infrastructure vulnerability.
Increasing public Internet dependency buffeted by cyber-security market
failure breeds the current situation.
Third, other key players are also habitually involved, particularly the
telecommunications carriers and ancillary cyber-infrastructure suppliers.
The latter includes equipment manufacturers (computers, servers,
switching, transmission, connectivity), software vendors and other thirdparty service providers who increasingly supply this buildout: security
auditors, software as a service (SaaS), security service providers, cloud
vendors. Interestingly, the services and equipment of these suppliers
initially appear at more attractive prices if security protection is not
guaranteed to clients or buyers. For example, it is arguable that
Internet/Online Service Providers (I/OSPs) are in the best position, as
network operators to provide security. They are likely the least cost
providers of much cyber-infrastructure security. Despite this potential
advantage, the I/OSPs have successfully lobbied for relief from legal duties
to provide security. Their market power, initially as service area monopolies
but increasingly as duopolies, also explains an absence of competitive
discipline to provide security investment.
Finally, individual users and commercial users (including governments
and NGOs) are important players, but their roles in the public policy debate
10
CyberSecurity Infrastructure Policy Conformance
Jan.2015
are attenuated when compared with the key players discussed above. Of
course, this taxonomy is imperfect because users span these rough
categories, frequently they are the high value targets discussed above but
also deserve separate consideration here. For example, individual human
users lack reliable collective action mechanisms to participate in the public
policy debate with the same intensity as do the groups discussed above.
Despite the growth of social networks (SN), user groups and other
aggregations of like-interest users, the individual user is unlikely to
participate strongly in cyber-security public policy formation. Of course
they do have other roles. Individuals are a prime target for identity theft,
their financial assets are often vulnerable, and some individuals are active in
IP theft, such as in the supply and use of pirated content. More ominously,
individuals have negative influence on cyber-security when duped into
botnets, essentially surreptitiously and naively recruited to participate in
distributed attacks on high value targets when their computerized
telecommunications devices are commandeered.
Nevertheless, individual users differ in kind and degree from
commercial users. The latter generally make significantly higher security
investments, they increasingly participate in intra-industry security
standards development activities (SDA). Industries with significant
technology innovations are perennial targets from insider threats and via the
cyber-infrastructure targeting trade secret theft. Commercial users who
operate critical infrastructures and who have lunged headlong into
committing their control systems and valuable databases to the public
Internet impose huge systemic risks on national “security, economic
security and national public health or safety.”
E. The Policy Venues
Traditional security law in general and in the cyber-infrastructure
context is decidedly sectoral and not omnibus. The sectoral approach means
there are provisions of law, regulation and the common law that impinge on
security concerns, but these are neither applicable broadly across fields of
law nor broadly across industries or economic sectors. 18 That is, security
law in the U.S. closely resembles the sectoral nature of U.S. privacy law:
The U.S. has no comprehensive privacy (/security) protection
policy. Privacy (/security) laws are narrowly drawn to particular
industry sectors, which can be called a sectoral approach to privacy
(/security) regulation. Regulation of privacy (/security) generally
18
See also Strauss, J., & Rogerson, K., Policies for online privacy in the United States
and the European Union, 19 TELEMATICS & INFORMATICS 173 (2002).
Jan.2015
YOUR TITLE
11
arises in the U.S. after there is considerable experience with privacy
(/security) abuses, an approach consistent with liberty, laissez-faire
economics and common law precedents as the major approach to
law making. As a result, U.S. privacy (/security) law is a
hodgepodge, patchwork of sectoral protections, narrowly construed
and derived from constitutional, statutory and regulatory provisions
of international, federal and state law. 19 (compare/contrast
emphasis added)
Omnibus approaches are much more comprehensive, they mandate
strong rights, thereby imposing strong duties on most industries and on
many government activities. Strong omnibus regulation is often politically
infeasible. Cyber-infrastructure security suffers because legal requirements
are not pervasive across industry and government sectors.
The traditional law of security is also a hodgepodge, patchwork derived
from various fields of law and security law is also based on constitutional,
statutory and regulatory provisions of international, federal and state law.
Security laws generally arise ex post, following crisis or galvanized political
will derived from mounting evidence of abuses. Traditional sources include
criminal law, tort law, contract, and malpractice. Privacy laws and security
laws are linked in two fundamental ways: 1st as a trade-off 20 and 2nd as a
complement. 21
Sectoral laws impact security generally and cyber-infrastructure in
particular. 22 These constrain activities in particular industries ranging from
several bellwether sectors like the federal regulation of healthcare,
finance, 23 intellectual property, federal administrative law, education,
19
Bagby, John W., The Public Policy Environment of the Privacy-Security
Conundrum/Complement, pp.195-213 Ch. XII in Sangin Park (ed.), STRATEGIES AND
POLICIES IN DIGITAL CONVERGENCE (2007 Idea Group Ref., Hershey PA).
20
National security and criminal law are two closely connected examples of the
tension between strong privacy law because it arguably leads to weak collective security.
21
Strong personal security relies on strong privacy practices.
22
Shaw, Thomas J. (ed), INFORMATION SECURITY AND PRIVACY, (Am.Bar Assn.
2010).
23
Interestingly, the federal securities regulations, dating back at least to the late 1970s,
drive significant security law, such as with the Foreign Corrupt Practices Act of 1977
(FCPA), Pub. L. 95–213, title I, § 104, Dec. 19, 1977, 91 Stat. 1496; amended Pub. L. 100–
418, title V, § 5003(c), Aug. 23, 1988; amended, 102 Stat. 1419; Pub. L. 103–322, title
XXXIII, § 330005, Sept. 13, 1994, 108 Stat. 2142; amended Pub. L. 105–366, § 3, Nov.
10, 1998, 112 Stat. 3304. codified as 15 U.S.C. §§ 78dd-1, et seq. The FCPA created an
internal control regime for publicly-traded companies that form a legal basis for securing
certain corporate assets. See generally Bagby, John W., Enforcement of Accounting
Standards in the Foreign Corrupt Practices Act, 21AM.BUS.L.J. 213 (Summer 1983). The
12
CyberSecurity Infrastructure Policy Conformance
Jan.2015
veterans affairs, deceptive trade practices, 24 and childrens’ protection. The
states are also active, primarily in cyber-infrastructure protection of identity
theft with security breach notification (disclosure) requirements, spyware
and data disposal provisions.
F. Layered Policy Mechanisms for Cyber-Infrastructure Security
Cyber-infrastructure security policy emanates from one or more of
several layers; the optimal source depends on constraints imposed by
political considerations as well as the predicted effectiveness of each in
isolation and the system effectiveness of the combined set of controls. First,
despite the market failure arguments detailed above, market discipline most
certainly provides at least some useful pressure to invest in security. 25 A
subset of market disciplines are industry best practices. These evince weakform, de facto standardization (e.g., mimicking behavior) that function best
as a form of information sharing. Another component of market discipline
is derived from the employment market for cyber-infrastructure security
professionals. Security professionals share skill sets, some preparation (e.g.,
education, degrees from accredited institutions), and credentialing. 26 These
Gramm/Leach/Bliley (G/L/B) Act created universal banking law by eliminating the GlassStegall separation of commercial banking, investment banking and insurance. G/L/B has
privacy provisions that specify security requirements for personally identifiable
information (PII). Financial Services Modernization Act of 1999, Pub.L.106-102, 113 Stat.
1338 (1999). A third securities law, the post-Enron remediation law, Sarbanes-Oxley
(SOX), reinforced the FCPA internal control regime for publicly-traded companies with
provisions for internal control responsibilities for requiring the development,
implementation, testing and revision of controls, Public Company Accounting Reform and
Investor Protection Act, Pub.L. 107-204, 116 Stat. 745 (2002). Finally, in the wake of the
2008 financial crisis, the remediation law, Dodd-Frank, requires the study of systemic
financial risk and establishes a risk assessment regime for publicly-traded companies.
Dodd–Frank Wall Street Reform and Consumer Protection Act, Pub.L. 111-203, H.R.
4173, 124 Stat. 1376 (2010). When integrated, these laws address many activities that
contributed to security vulnerabilities, particularly weakness in national economic security.
24
See generally Bagby, John W, Common Law Development of the Duty of
Information Security in Financial Privacy Rights, FOURTH ANNUAL FORUM ON FINANCIAL
INFORMATION SYSTEMS AND CYBERSECURITY: A PUBLIC POLICY PERSPECTIVE, Smith
School of Business, Univ. Maryland, May 23, 2007 accessible at:
http://faculty.ist.psu.edu/bagby/Pubs/CommonLawEfficiencyCustodyDutyInfoSecurity1.pdf
25
Hahn, Robert W. & Anne Layne‐Farrar, The Law and Economics of Software
Security 30 HARV. J. L. & PUB. POLICY 284 (2007) (arguing market forces can work to
incentivize security investment, diverse software security problems suggest varying
remediation approaches and that traditional criminal law is rather ineffective to deter cybercrime).
26
A common security credential is the Certified Information Systems Security
Professional (CISSP) issued by the International Information Systems Security
Certification Consortium, Inc., (ISC)² a global, not-for-profit that provides education and
Jan.2015
YOUR TITLE
13
factors arguably contribute to some uniformity among industry best
practices. Professionalism in other professions has emanated from licensing
statutes, malpractice litigation, and best practices.
Second, de jure standards drive very significant security undertakings.
For U.S. federal agencies, the Federal Information Security Management
Act 27 (FISMA) is influential to create an IT security compliance framework
for both civilian and Department of Defense (DoD) agencies. In the private
sector, there is a widening choice for de jure IT security standards from
National Institute of Standards and Technology (NIST), 28 the Control
Objectives for Information, and Related Technology (CoBIT) developed for
investment securities disclosure and the financial services industry by the
Information Systems Audit and Control Association’s (ISACA), 29 and the
control and standards International Organization for Standardization
(ISO). 30 The effective penetration of alternative security standards varies
considerably. 31
Third, constitutional provisions, statutes and administrative regulations
certification in IT security. Dozens of competing certification authorities exist throughout
the world.
27
FISMA is the Title II component of the E-Government Act of 2002, H. R. 2458,
Pub.L. 107-347, 116 Stat. 2899; codified at 44 U.S.C. §3541, et seq. (establishes federal
Chief Information Officer in the Office of Management and Budget (OMB); delegates
authority to the National Institute for Standards and Technology (NIST) and the National
Security Agency (NSA) to issue Federal Information Processing Standards (FIPS)
applicable to federal agencies and some federal contractors.
28
The NIST 800-series adapts the FIPS to private-sector government contractors,
accessible at: http://csrc.nist.gov/publications/PubsFIPS.html
29
COBIT standards are accessible by subscription at:
http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Online.aspx
30
IT security standards in the 27,000 series, Information Security Management
Systems, are issued jointly by the ISO and the International Electrotechnical Commission
(IEC). For example, ISO/IEC 27001: 2005 Information technology – Security techniques –
Information security management systems – Requirements (2005) holds promise as an
important model. Standards from the International Organization for Standardization (ISO)
are generally accessible only on a fee-basis at http://www.iso.org
31
For example, FIPS penetration in U.S. federal agencies is strong while penetration
into state governments is less so. COBIT is widely used by private-sector firms that are
publicly-traded in the U.S. Penetration of ISO standards in the EU is substantial, but lags
considerably in the U.S. One explanation may be that mandatory compliance with ISO
standards is much stronger in the EU than in the U.S. One major exception for world-wide
conformity to ISO standards are the isotainers developed by Malcolm P. McLean of U.S.based Sea-Land Corp. Containerized freight must be compliant with ISO 668 - Series 1
freight containers -- Classification, dimensions and ratings (1995). See also Container
Handbook (Gesamtverband der Deutschen Versicherungswirtschaft e.V. - GDV) 2009,
accessible at: www.containerhandbuch.de/
14
CyberSecurity Infrastructure Policy Conformance
Jan.2015
are likely to provide increasingly specific security incentives. The U.S.
Constitution provides several structural security provisions: U.S. and
several state statutes mandate specific and largely sectoral security
requirements. Adminsitrative regulations, most at the federal level, also
mandate security. Fourth, importantly for the development of more
comprehensive security regimes, case law interpreting privacy law, 32 at
both state and federal levels, is refining security duties in various sectors. 33
G. Regulatory Tools
Various mechanisms can incentivize security investment. Some are
appropriate from almost any source, for example, professionalism of cyberinfrastructure personnel could be incentivized, as it is for other professions,
by licensing standards, malpractice litigation duties and regulatory
requirements, any of which could be mandated by either state or federal law
as supplemented by professional NGO associations. Appropriate flexibility
in cyber-infrastructure security practices is accommodated when standards
are produced by expert sources, such as are the audit standards for
professional self-regulation.
Disclosure is becoming an effective incentive to cyber-infrastructure
security investment. Consider that forty-six states 34 and at least one federal
statute 35 require disclosure of security intrusions from breaches of PII
databases. Direct personal delivery of disclosure notice generally must be
delivered directly to potentially impacted parties under security breach
notification legislation. Breach notices are hard to keep secret, most are
publicized broadly supplementing the victims’ pressure with other market
32
See e.g., White, Anthony E., The Recognition of a Negligence Cause of Action for
Victims of Identity Theft: Someone Stole My Identity, Now Who Is Going to Pay for It,; 88
MARQ. L. REV. 847 (2004-2005).
33
See e.g., Bagby, John W, Common Law Development of the Duty of Information
Security in Financial Privacy Rights, FOURTH ANNUAL FORUM ON FINANCIAL
INFORMATION SYSTEMS AND CYBERSECURITY: A PUBLIC POLICY PERSPECTIVE, Smith
School of Business, Univ. Maryland, May 23, 2007 accessible at:
http://faculty.ist.psu.edu/bagby/Pubs/CommonLawEfficiencyCustodyDutyInfoSecurity1.pdf
34
For a fairly current, comprehensive listing see Security Breach Legislation 2011,
The National Conference of State Legislatures, accessible at:
http://www.ncsl.org/default.aspx?tabid=22295 (brief state-by-state description)
http://www.ncsl.org/default.aspx?tabid=13489 (table)
35
Health Information Technology for Economic and Clinical Health (HITECH) Act
applies a federal security breach notification requirement for protected healthcare
information (PHI) governed under the Health Insurance Portability and Accountability Act
(HIPAA). HITECH is a component of the American Recovery and Reinvestment Act of
2009 (ARRA), Pub.L.111-5.
Jan.2015
YOUR TITLE
15
disciplines. Eventually these have resulted in pressures for more
legislation. 36 Some such legislation requires further implementation by
regulatory agencies. 37
Several less onerous security incentives may be supplied by proposed
regulation, some have been included as part of consent decree settlements
with regulators, and some are beginning to appear in many de jure
standards. For example, mandatory security management regimes require
contingency planning addressing a wide range of activities that are
components of security risk management. The range of activities is
considerable and is best customized to the size of the entity, the line of the
entity’s business activities, and the particular risks that are most likely. Risk
assessment regimes are often implemented as a master risk-benefit analysis.
At a minimum, such regimes require (1) initial then ongoing threat
assessment, (2) iterative response planning, and (3) risk control, retention,
sharing, and transfer. Security audits by internal auditors as well as periodic
certified audits by independent experts or other audit authorities are an
increasingly frequent security mechanism. These engagements rely on
identification of technical and administrative controls and then requires
their testing. Cyber-infrastructure security regimes are well-represented in
these emerging audit practices.
To date, cyber-infrastructure security regulations seldom specify
particular technical protections to enhance security. There has been very
considerable push-back against this rules-based standardization or
mandatory security methods approach. 38 The “K Street” success by
lobbyists opposing a strict rules-based approach requiring particular design
or performance standards may be the most cogent explanation for the
current fragmented state of security incentives. For example, while
encryption is an obvious remedy for insecure IT systems, few statutes or
36
PrivacyRights.org is one of several compilers of privacy breach notices, see:
http://www.privacyrights.org
37
See e.g., Breach Notification for Unsecured Protected Health Information, 74
Fed.Reg.42740 (August 24, 2009) codified as 45 C.F.R. 160 et. seq. (2010).
38
See, Letter from R. Bruce Josten, U.S. Chamber of Commerce, to Members of U.S.
Senate (July 31, 2012) (voicing strong opposition to S.3414 Cybersecurity Act of 2012).
But see, Letter from Sen. John D. (Jay) Rockefeller IV, Chairman, Senate Committee On
Commerce, Science, & Transportation, to Fortune 500 CEOs (Sept. 19, 2012) (requesting
views on cybersecurity practices and failed regulation).
An interesting conflict is now noted in the divergence of attitude between the
industry-wide lobbying powerhouse, the U.S. Chamber of Commerce, that generally took a
hard line against any mandatory cyber-infrastructure regulations, and supportive responses
of Fortune 500 CEOs to Senator Jay Rockafeller’s direct solicitation of support for cyberinfrastructure security regulations.
16
CyberSecurity Infrastructure Policy Conformance
Jan.2015
regulations directly require encryption. 39
H. Policy Analysis of the Information Sharing Mechanism
Cyber-infrastructure security policy is again stalled in Congress, 40
strong factions oppose the costly moves generally recognized as essential to
threat reduction (e.g., mandatory encryption). 41 Absent cataclysmic events,
only the most tentative forward steps are likely in the near term. 42 With
direct mandates of particular cyber-infrastructure measures on hold, a major
focus, perhaps “the cornerstone” for improving security, remains
information sharing. 43 Arguably, the most useful information is that which
is shared discretely among cyber-attack targets. For example, such attack
experience information could conceivably identify assailants, discern
methods and identify targets, all with a view to quick response
development. While some targets are likely incapable of detecting,
understanding or archiving such information, development of this capacity
is a sub-goal of the information sharing ideal. Such information likely
39
See e.g., Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82. California’s
S.B.1386 does not require encryption but exempts incidents from disclosure if the data lost
in a breach is encrypted. Id at §2.
40
U.S. House of Representatives actions all failed to become legislation and include at
least the following: H.R.3674, Promoting and Enhancing Cybersecurity and Information
Sharing Effectiveness Act (PRECISE Act) (Lungren); H.R. 4263: SECURE IT Act of
2012, 112th Congress, 2011–2012. Text as of Mar 27, 2012 accessible at:
http://www.gpo.gov/fdsys/pkg/BILLS-112hr4263ih/pdf/BILLS-112hr4263ih.pdf
http://www.govtrack.us/congress/bills/112/hr4263; H.R.3523, Cyber Intelligence
Sharing and Protection Act (CISPA) (introduced Nov. 30, 2011 by Mike Rogers, R-Mich,
passed House April 26, 2012 (248–168)); H.R.326, Stop Online Piracy Act (SOPA)
(Introduced October 26, 2011 by Lamar Smith, R-Tx). U.S. Senate actions all failed to
become legislation but include at least the following: S.2105 Cybersecurity Act
(Lieberman-Collins); S.2151, Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of 2012, (SECURE IT) (introduced
by John McCain, R-Az); S.968, Preventing Real Online Threats to Economic Creativity
and Theft of Intellectual Property Act (PROTECT IP Act or PIPA) (introduced May 12,
2011 by Patrick Leahy, D-Vt).
41
See e.g., Yadron Danny, Lobbying Over Cyber Attacks, Wall St. J. at B4 (Jan.9,
2013); Letter from R. Bruce Josten, U.S. Chamber of Commerce, to Members of U.S.
Senate (July 31, 2012) (voicing strong opposition to S.3414 Cybersecurity Act of 2012)..
42
Obama, Barack, Improving Critical Infrastructure Cybersecurity, Exec.Order No.
13,636 (est.) (Feb.12, 2013) (authorizes federal agency information sharing with private
sector cyber-infrastructure owners and operators). See also McCain, John, Kay Bailey
Hutchison & Saxby Chambliss, No Cybersecurity Executive Order, Please, Wall St.J.
(Sept.14, 2012) at A13 (arguing Presidential overreaching to bypass Congress with
expansive cyber-infrastructure protection executive order(s) in effort to unilaterally revive
the failed legislation).
43
See e.g., Cybersecurity, THE CIP REPORT, vol.10, no.10 (April 2012), Center for
Infrastructure Protection & Homeland Security, George Mason Univ. School of Law.
Jan.2015
YOUR TITLE
17
would permit hardening defenses in quick response environments and,
when perfected in near real time, could enable counter measures. However,
such plans are hallow unless information is fully and freely shared. What
barriers exist to information sharing?
Three major classes of disincentive to information sharing likely exist:
(1) competitive disadvantage, (2) litigation encouragement, and (3)
regulatory pressures. First, disclosures revealing proprietary information are
regularly resisted forms of information sharing. Such information is highly
valuable to enable harassment by competitors, regulators and others seeking
to hold the entity responsible (e.g., shareholder litigation, surrounding
community environmental degradation lawsuits). Entities are unlikely to
forthrightly volunteer to disclose proprietary information when it either
undermines competitive advantage that supports abnormal profits or it
constitutes deservedly discrediting information. 44 Deservedly discrediting
information raises risks of regulatory attention, liability lawsuits and
punitive interest in vindicating mismanagement concerning any entity’s
products, markets, organization management. These are public policy
questions equally applicable to the accountability of both private-sector,
for-profit businesses as well as public-sector governments or NGOs.
Second, disclosures enable attack on cyber infrastructure as attackers
learn of transitory or enduring vulnerabilities. Furthermore, information
sharing through public disclosure of facts, conditions or incidents signals
mismanagement of cyber-infrastructure security. Private lawsuits for
negligent mismanagement, regulatory enforcement for violations of cyberinfrastructure security standards and criminal prosecutions for a wide
variety of legal wrongs are enabled by information sharing.
Third, increased disclosures raise public ire about insecure networks
creating a self-fulfilling prophesy and frequently prompt new regulations or
legal liabilities. From time to time, amnesty programs by criminal
prosecutors (foreign bribery) 45 financial regulators and tax authorities have
44
Posner, Richard, ECONOMIC ANALYSIS OF LAW, 2d ed. (Little Brown, 1977) at 55.
Securities and Exchange Commission v. Siemens Aktiengesellschaft, SEC
Litig.Rel.No. 20829 (Dec. 15, 2008) Acctg. & Audit. Enf. Rel No. 2911 Civ. Act. No. 08
CV 02167 (D.D.C.) accessible at
http://www.sec.gov/litigation/litreleases/2008/lr20829.htm (Siemens’ employee amnesty
program essential to SEC enforcement action finding systematic practice of paying bribes
to foreign government officials to obtain business). Indeed, the FCPA was itself predicated
on a 1970s SEC amnesty program that discovered pervasive foreign bribery, the internal
accounting controls provisions that underlie as a basic pillar to U.S. security law were the
direct result of this public information disclosure).
45
18
CyberSecurity Infrastructure Policy Conformance
Jan.2015
thrived.
These disincentives are so fundamental that regulatory encouragement
are unlikely to ever be fully embraced, some information will likely remain
secret as valuable proprietary assets or withheld for defensive risk aversion.
For example, competitors discovering effective cyber-attack defenses are
unlikely to share with other competitors their most potent counter-measures
unless a business model arises to create value propositions in their resale
(e.g., security consulting). Perhaps third party security service providers are
becoming a better mechanism to share such intrusion experience and
distribute this as defensive software, security management practices or
hardware re-configurations. Similarly, there will remain strong incentive to
withhold disclosure of information about vulnerabilities when they can be
successfully held confidential.
Information sharing still holds promise to achieve systemic resilience.
Such shared information is likely to be composed of new attack strategies,
reveal new targets, permit analysis of evolving attack and defense methods,
and can reveal new sources of attack. All these classes of non-disclosure are
likely to be broadly useful to achieve systemic resilience. Therefore, with
some information stubbornly undisclosed, the voluntary information sharing
mechanism remains somewhat limited. Critics may charge voluntary
systems provide skewed results or are hopelessly idealistic rendering them
too often ineffective.
How is information sharing accomplished while overcoming the three
major difficulties noted above? Some industries are exemplars where their
information sharing schemes have succeeded with proven track records. A
precious few industry-wide groups successfully function as information
clearing houses with a focus on critical infrastructure protection. The Center
for Disease Control, a component agency under the Department of Health
and Human Services (DHHS), functions as a federally supported clearing
house particularly useful when new disease outbreaks threaten public health
quickly and profoundly. Also consider the experience of another
information sharing analysis center (ISAC) assisting the electric power grid.
The electric power industry’s ISAC is perhaps the most successful, nongovernmental exemplar. The North American Electric Reliability Council
(NERC) facilitates the sharing of operational problems and thereby enables
quick response control changes that produce a fairly robust and reliable
power grid. The grid’s reliability requires real time speed of sharing
information about threat prevention, protection, response and recovery.
Electric power generated is immediately distributed so it must have nearly
Jan.2015
YOUR TITLE
19
immediate consumption, or shutdown by automatic breakers and/or human
control intervention is always necessary to avoid damage to physical system
components. There is no practical storage buffer for electricity. 46
However, the most successful ISACs largely populate industries with
weak competition. Competitive electricity distribution existed only briefly
at the beginning of the 20th century. The destructive competition and huge
and wasteful duplicative distribution network build-out at that time was
eventually replaced with service area franchises addressed by regulated
monopolies. The competitive electric power generation market of the 21st
century is regulated by a fragmented state-by-state patchwork so
coordination problems for the future are not yet fully understood. Similarly,
health care competition remains embryonic despite decades of health care
reforms. Therefore, ISACs in highly competitive industries remain largely
unexplored. The information sharing disincentives discussed in this section
will likely impose very significant barriers to cyber-infrastructure protection
without considerable public policy intervention. A more robust
understanding of industrial organization incentives and the control over the
performance of government intervention is needed before cyberinfrastructure policy can benefit economic security.
I. Tentative Observations: A Range of Alternative Cyber-Infrastructure
Protection Models
Business-government relations lie at the heart of any successful
resolution to the cyber-infrastructure protection policy morass. The
traditional conceptualization that these are stubbornly adversarial relations
is episodic at best and inaccurate for many industries.47 Cyber-infrastructure
engages both (once) highly regulated industry sectors like telecommunications with historically unregulated industries, such as software.
Computer and network security professionals occupy a central position in
this industrial organization, an area of budding professionalism, skills
46
A complete compendium of ISAC functions is well beyond the scope of this cyberinfrastructure protection treatment. Significant academic research strongly suggests that
eroding information barriers would produce systemic benefits, see e.g., Gordon, Lawrence
A. Martin P. Loeb, William Lucyshyn, Sharing information on computer systems security:
An economic analysis, 22 J.ACCTG.& PUBL.P’LCY. 461-485 (Nov.-Dec.2003) (arguing
computer security enhanced at lower per firm cost with information sharing).
47
Stevens, John M., Steven L. Wartick & John W. Bagby, BUSINESS-GOVERNMENT
RELATIONS AND INTERDEPENDENCE: A MANAGERIAL AND ANALYTIC PERSPECTIVE,
Quorum Books, Westport CN (1988). For example, the energy, environmental, financial
and construction industries have had more recurring adversarial relations with government
regulators than have the defense industrial base, management consulting, professional civil
engineering and transportation industries.
20
CyberSecurity Infrastructure Policy Conformance
Jan.2015
certification and looming regulatory pressures. Several potential public
policy implementation models are evident to resolve the cyberinfrastructure security dilemma. Some aspects of each of these are
suggested by the preceding analysis in this paper. They range from uncoordinated competition through strong totalitarian command and control,
each with often foreseeable, but unique profiles for their relative advantages
and disadvantages in impacting cyber-infrastructure security, liberty and
competitive capitalism.
Current U.S. cyber-infrastructure protection policy is but a patchwork
of components of the possible policy models. Consider the fierce opposition
recently and successfully brought to bear opposing strong and mandatory
cyber-security legislation by some pro-business advocates and lobbying
groups. This experience suggests that there will continue to be stubborn
pressure for laissez-faire policies. Absent cataclysmic disaster, the noregulation, market approach will continue to have powerful adherents. Of
course, similar forces have had much more limited success in industries
where cyber-security regulation has successfully penetrated. For example,
industries such as banking, finance, electric power, and air transport have
strong cyber-security mandates. Interestingly, despite the inherent resilience
of network industries, their systemic vulnerabilities have attracted stronger
cyber-infrastructure protection policy mandates.
The system of civil liability appears to exert, at most, only minimal
discipline on cyber-infrastructure security readiness. Despite a decade of
Federal Trade Commission lawsuits citing highly particularized and
technical computer and network vulnerabilities as well as consent decrees
requiring very specific technical safeguards, the litigation threat has
imposed limited deterrent effects and remains mostly a remedial
approach. 48 Proprietary standards set by contract under the auspices of trade
associations 49 and open source standards set by standards development
48
See Privacy and Security Legal Resources, Bureau of Consumer Protection, Federal
Trade Commission, (website repositories of case law, reports, statutes, regulations,
enforcement case histories) accessible at; http://business.ftc.gov/privacy-and-security
49
Epstein, Richard A. & Thomas P. Brown, Cybersecurity in the Payment Card
Industry,
75 UNIV. CHIC. L. REV. 203-223 (Winter, 2008) (illustrating existing financial cyberinfrastructure protection policy weakness and anticipating PCI Security Standards
Council’s DSS standard for payment card cyber-security). The PCI DSS standard is
proprietary and this attracts compliance methods patents that derive independent
proprietary rights, see e.g., U.S. Patent 8,261,342, Payment Card Industry (PCI) Compliant
Architecture and Associated Methodology Of Managing A Service Infrastructure, (issued
Sept.4, 2012) (describing a PCI DSS compliance system and payment card network
Jan.2015
YOUR TITLE
21
organizations 50 show some promise to raise cyber-infrastructure readiness.
Despite the range of public policy alternatives to deploy cyberinfrastructure protection, it should be foreseen that some voices may
advocate much more significant intrusion by government command and
control into private-sector decision-making about the cyber-infrastructure.
Candice Yu of the Truman National Security Project commented recently
on new rules of engagement in cyber-warfare that could lead to U.S.
military assumption of civilian critical infrastructures protection. Although
clearly admitting the military’s limited expertise and competence to operate
private-sector critical infrastructures, an ominous implication remains clear:
Some have called for authorizing the military to defend private
corporate networks and critical infrastructure sectors, like gas
pipelines and water systems. This is unrealistic. The military has
neither the specialized expertise nor the capacity to do this; it needs
to address only the most urgent threats...As a result, everyone has a
role to play in cybersecurity, and the military should get involved
only in extreme circumstances…But, if a cyber-intrusion creates a
large-scale power loss in the dead of winter, we should explore
military options. Many lives may depend on it. 51
There is urgency to find consensus on policies that improve cyberinfrastructure security. This is a national imperative on all owners, operators
and maintainers of critical infrastructures. This study suggests that
resolution requires examination of the industrial organization challenges.
The cataclysmic alternatives are too numerous to remain inactive in the
cyber-infrastructure policy debate.
security monitoring apparatus).
50
ISO/IEC 27000 family of cyber-security standards.
51
Yu, Candace, We Have an Antiquated Framework, N.Y.T. (Feb.28, 2013) accessible
at: http://www.nytimes.com/roomfordebate/2013/02/28/what-is-an-act-of-cyberwar/wehave-an-antiquated-framework-for-dealing-with-cyberthreats